Lenovo Superfish Lessons – Manufacturers It’s Time to End Crapware

Malcious USB Threat

Sadly, the adware, spyware, crapware problem has been around for ages. PC makers, smartphone manufacturers, tablet makers and many others have loaded up new computing devices with oodles of junk software on with claiming they want to offer customers choices and much needed “features”. In most cases this “software” is adware, spyware, badware, and all other manner of junk. No matter how we sugar coat it it is all simply malware. Malware is hostile or intrusive software that aims to disrupt your use of your computer, gather sensitive information or further exploit your system. Lenovo was recently caught placing one such application on its new PC’s. The company claims it was to offer a useful VisualDiscovery feature to its users. From October to December 2014 Lenovo shipped Superfish on a variety of its notebooks. This all seem quite innocuous until we delve a bit deeper. Superfish actually injected ads into search engine results, intercepted and hijacked SSL/TLS connections to website effectively committing a MiTM (Man in the Middle) on your machine. This effectively means that your traffic to the Internet passed through Superfish’s MiTM allowing Superfish the capacity to secretly relay traffic thought to be secured via SSL/TLS. To do this, Superfish added a trusted certificate authority which it used to generate false certificates to your browser in real time when you visited a legitimate site like gmail.com, outlook.com, etc. This was a colossal failure of any notion of trust a purchaser should have in any computing device manufacturer for many reasons:


As if this malware weren’t offensive enough already it was found that this malware was readily exploitable. This means that cybercriminals can use the existence of Superfish as a conduit to hack your machine(s). What makes matters even worse it that Superfish isn’t the only crapware out there that opens users up to security vulnerabilities they wouldn’t have if it were not installed by the manufacturer.


Users have a right to basic privacy. If a device is going to break that very basic assumption it should be given in writing and the onus should be on the manufacturer to explain in detailed plain English how the technology is used (or misused). Disclosure is a critical piece to addressing this issue. As the issue of privacy comes more to the fore so too the demands of users will follow. We as users of these technologies must demand that they have privacy baked in and respect our needs.

Lenovo Backpeddles… SuperFast

Lenovo has since backpedaled on this issue. It has offered details on how to remove Superfish and even made it clear it will begin shipping its PC’s with a “clean” version of the Microsoft operating system. Either way, the cat is out of the bag and the company will still see class action lawsuits. I applaud Lenovo for having this change of heart but I’m waiting for others in this industry to follow suit.

Ban Crapware/Malware on ALL Computing Devices

The time has come for the manufacturers of computing devices to do the right thing and ban all preloaded crapware/malware. We should receive the hardware we purchase with a clean operating system or have access to the ability to reinstall it to this state with an available download. Since the beginning of my career I have always build from know clean binaries so as to sidestep this issue. For the regular non technical user they shouldn’t have to worry about this. For this reason, I’m calling upon all other PC, smartphone, tablet and other manufacturer to follow suit. Give us a device that is clean and free from crud, crap or malware. What say you manufacturers? What do you think as a consumer?

Joseph P. Guarino has a long history of producing business results with the application of information technology. Joseph's expertise span over 15 years in the private sector at leading technology firms and consulting organization. With Evolutionary IT, he saw a market need to bring his transformative knowledge and expertise to firms in the New England area and worldwide. Joseph is driven by a strong desire to see customer's thrive with the best business solutions. Evolutionary IT evolved out of this desire to bring a new level of quality IT solutions, align them with business goals and give customer's a competitive edge.
Posted in Information SecurityTagged , ,  |  3 Comments

3 Responses to "Lenovo Superfish Lessons – Manufacturers It’s Time to End Crapware"

Leave a reply