We recently brought to you security news about how, Lenovo, currently the world’s largest PC manufacturer based in China had embedded a secret spyware, which the company prefers to call “Adware” in PCs sold to the public, in order to improve their customers’ buying experience, despite knowing that it was a major security vulnerability. Click here if you missed it!
We also reported that the so-called “Adware” installed within an area of the PCs not scanned by anti-viruses may allow the machines to become vulnerable to unauthorized access by hackers who may steal passwords and other confidential information on the PCs.
The IT Security community were aghast when this revelation was brought to light and Lenovo had to respond to justify the rationale for their actions. Below is the excerpt of some of the explanation given by the company’s Chief Technology Officer, Peter Hortensius when interviewed by New York Times:
Q: How did Superfish even get onto Lenovo machines in the first place?
A: The original motivation for this was that the product team was being asked, “Can we do something to improve our consumer experience?” Someone had the idea to improve their shopping experience in a novel way — not to own their experience, but just, if the consumer is looking at a desk, can we suggest an alternative product that looks like that desk? The motivation was to enhance the experience. Obviously, in retrospect, if we had known what that meant in terms of how it was implemented, we would have never done it.
Q: I have to press you on that. Mr. Horne brought the security issue to Lenovo’s attention in mid-January, more than six weeks earlier.
A: At that time, we were responding to this issue from a web compatibility perspective, not a security perspective. You can argue whether that was right or wrong, but that’s how it was looked at. We thought turning off the servers at that point would address that problem and that was what was done. At that point, we concluded [Superfish] was not very useful and that is why we started to remove it from the preloads.
Q: Why wasn’t this issue picked up in the quality assurance process? What kind of quality assurance process would even allow for installing this kind of adware on Lenovo machines?
A: At a high level, the team that defines what is in these products will encounter stuff in the market, then they will say, “Here is something we want to do,” and they will engage an engineering team. Then we will go through this thing and make sure it adheres to our policies and practices. We make sure it doesn’t know who the individual is. We make sure it’s opt-in. But what was completely missed in this was the security exposure caused by the design of the certificate authority they used.
Q: I have to press you on that. Mr. Horne brought the security issue to Lenovo’s attention in mid-January, more than six weeks earlier.
A: At that time, we were responding to this issue from a web compatibility perspective, not a security perspective. You can argue whether that was right or wrong, but that’s how it was looked at. We thought turning off the servers at that point would address that problem and that was what was done. At that point, we concluded [Superfish] was not very useful and that is why we started to remove it from the preloads.
Q: Why wasn’t this issue picked up in the quality assurance process? What kind of quality assurance process would even allow for installing this kind of adware on Lenovo machines?
A: At a high level, the team that defines what is in these products will encounter stuff in the market, then they will say, “Here is something we want to do,” and they will engage an engineering team. Then we will go through this thing and make sure it adheres to our policies and practices. We make sure it doesn’t know who the individual is. We make sure it’s opt-in. But what was completely missed in this was the security exposure caused by the design of the certificate authority they used.
