The software was inserted in the lowest level of the operating system, rendering it undetectable by common, commercial spyware detectors. Nevertheless, a financial services expert named Thomas Horne discovered that a Lenovo Yoga 2 Notepad had been deliberately infected with Superfish.
The spyware was not only redirecting traffic from his computer to a website called Best Deals Products and was dropping ads into his sessions, but was also hijacking secure browser sessions and accumulating data as it was entered into secure web sites.
This feature made it very easy for hackers to intercept said data. Horne tested other Lenovo computers in various retail outlets in both Sydney, Australia, and New York City and found them to be similarly infected with Superfish.
Lenovo has been apologetic (3) about the snafu and has stated that it has stopped loading the offending spyware. The company has posted uninstall software on its support website (4).
Various other spyware removers such as MacAfee have been updated to deal with Superfish as well. Nevertheless, it claims to have installed the spyware in its products to enable its customers to discover “interesting products while shopping”. The fact that companies selling such products stand to benefit is a matter left unmentioned.
Adware, as Lenovo calls it, or spyware, as its customers call it, is an annoyance that takes up CPU and is intrusive, hence the market for software that removes such programs from computers that have been infected.
The security holes that existed in Superfish are a far more serious matter. Lenovo is the largest personal computer maker on the planet, with business in 60 countries. It can ill afford the hit to its reputation that selling customers infected products vulnerable to hackers entails.
The lawsuits against Lenovo and the Israeli company that produces Superfish have already begun (5). A class-action has been filed in U.S. District Court for the Southern District of California seeking unspecified damages.
The filing alleges that the spyware invaded the privacy of customers and left them open to hacking and other malicious cyber-attacks. The filing also states that the spyware took up CP resources and bandwidth.
Considering the extent of the class of customers that could be covered by the lawsuit, the damages that Lenovo and its Israeli partner might suffer could be severe.
Lenovo’s competitors are also taking advantage of the company’s self-inflicted problems. According to CNET (6), Hewlett-Packard has begun to mock Lenovo on Twitter. One example was, “The only thing you should have to think of when someone says Superfish.”
The tweet was accompanied by a piece of sushi. Of course, while HP can be forgiven for having some fun at the expense of its competitor, it might want to take care that its products are as secure as possible.
The question arises, according to Engadget (7), how did Lenovo miss the security hole in Superfish in the first place? It is certainly not in the company’s interest to make its customers open to security breaches. The snafu suggests that there is a quality control problem at both Lenovo and the Israeli company that produced the spyware to begin with.
Lenovo’s bigger problem will be how to regain the reputation that has been so severely damaged by the situation. The company can fix the quality control problems and fire people responsible, but convincing customers that it won’t happen again will be a long, arduous process.
Meanwhile, competitors like HP will be poised to snap up discontented computer users and cut into Lenovo’s market share.