China’s Lenovo Group, the world’s largest PC maker, said Thursday it is no longer pre-installing software that cyber security experts said was malicious and made devices vulnerable to hacking.
Lenovo had come under fire from security researchers who said earlier on Thursday that the company had pre-installed virus-like software from a company called Superfish on consumer laptops that hijacked Web connections and allowed them to be spied upon.
Users reported as early as last June that a program, also called Superfish, was “adware,” or software that automatically displays advertisements.
Pre-installation of Superfish was stopped in January and has since been disabled on all products in the market, said a Lenovo spokesman in an email to Reuters. Superfish was included on some consumer notebooks shipped between September and December, he said.
“We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns,” the spokesman said. Superfish “does not profile nor monitor user behavior. It does not record user information. It does not know who the user is. Users are not tracked nor re-targeted. … The relationship with Superfish is not financially significant.”
Robert Graham, CEO of U.S.-based security research firm Errata Security, said Superfish is malicious software that hijacks and throws open encrypted connections, paving the way for hackers to also commandeer these connections and eavesdrop, in what is known as a man-in-the-middle attack.
“This hurts (Lenovo’s) reputation,” Graham told Reuters. “It demonstrates the deep flaw that the company neither knows nor cares what it bundles on their laptops.”
Graham and other experts said Lenovo was negligent, and that computers could still be vulnerable even after uninstalling Superfish.
“The way the Superfish functionality appears to work means that they must be intercepting traffic in order to insert the ads,” said Eric Rand, a researcher at Brown Hat Security. “This amounts to a wiretap.”
Concerns about cyber security have dogged Chinese firms, including telecoms equipment maker Huawei over ties to China’s government and smartphone maker Xiaomi over data privacy.
Lenovo commanded one-fifth of the global PC market in the third quarter of 2014, according to data research firm IDC.
(Editing by Miral Fahmy and Vincent Baby)
This article originally appeared on Recode.net.
