Sometimes big threats to consumers’ digital security and privacy come in the form of pre-installed programs, software built into consumer products that creates vulnerabilities that hackers can exploit.
Last week, Reuters reported that the Department of Homeland Security issued an alert that a harmful pre-installed program exists on Lenovo laptops. The program – nicknamed Superfish – makes users vulnerable to SSL spoofing, allowing hackers access to encrypted web traffic. The alert advises product owners to take corrective action immediately.
Headquartered in Beijing, Lenovo is one of the world’s fastest growing PC producers. An online statement from the company apologizes for the installation: “In our effort to enhance our user experience, we pre-installed a piece of third-party software, Superfish (based in Palo Alto, CA), on some of our consumer notebooks.” The statement continues with a reiteration of Lenovo’s commitment to security and concludes with a list of products on which Superfish may have been installed.
At the end of the week, Lenovo also provided both manual removal instructions and a downloadable, automatic tool to remove the program. According to Lenovo, Superfish was pre-installed on machines that shipped from September through December of last year, but the company does not disclose the quantity of affected products.
Online rumors of a class-action lawsuit are swirling, and the full consequences of the vulnerability remain to be seen.