Author(s): Peter Bryer
The US Computer Emergency Readiness Team issued an official vulnerability note and an alert concerning some of Lenovo's Notebook models. This isn't the sort of recognition companies tend to look for, and will require Lenovo to take on some more reputation repair work.
In December and January, Lenovo pre-installed third-party Superfish software onto consumer PCs shipped by the company. The Superfish app remains active in the PC, installing adverts into Internet search results. Lenovo originally defended the move, saying that Superfish benefits the user by presenting lower-priced products related to the search. The software performed a "man-in-the-middle" attack, allowing it to intercept and interpret incoming traffic and use this to place its own ads.
Some consumers raised concerns about the practice, and Lenovo announced that it would stop preloading the software as user feedback "wasn't positive". However, Superfish isn't just an issue of sneaking in some adverts — it transpired that Superfish uses code from a software company with a reputation of leaving computers very vulnerable to outside hacking. Lenovo issued a downloadable fix, but users must be aware of and have the ability to run the remedy.
Superfish was only pre-installed on PCs for several months, but Lenovo's reputation may take much longer to repair. Consumer trust often takes years to earn but can be lost in an instant. Though Lenovo said Superfish was only installed on consumer models, the company's enterprise customers could be concerned about the possibility of spyware on recently purchased machines.
Lenovo isn't just the top-ranking PC maker in the world — it's also the third-largest smartphone manufacturer. Mistakes like Superfish can contaminate a brand across product lines. However, it's too early to tell if there will be any severe long-term consequences to Lenovo's image. The technically complicated nature of Lenovo's transgression could prevent many consumers from realizing the potential severity of the problem — "universal self-signed certificate authorities" are discussed as a large part of the issue, for example. Some experts are insisting that PCs should be completely wiped to better assure security. Lenovo would be wise to supply more clarity and cooperation to concerned users.
The exact financial benefits to Lenovo weren't made public, but it's likely that the company was eager to supplement low-margin hardware with higher-margin recurring service revenue. Lenovo isn't alone in the endeavour: some other major hardware makers are developing themselves on the razor-and-blades business model (whereby a product is keenly priced to encourage sales of complementary goods). The Superfish affair is bound to raise privacy concerns across the board. The shark tank awaits.