Patty’s Pioneer, Peter Horne,
Exposes Lenovo Security Risk
By
Patty Seybold Things have been buzzing on our private email listserv over the past
two months. Peter Horne, one of the most active members of Patty’s
Pioneers, began discussing a troubling problem he had found on a Lenovo
computer he purchased in Sydney, Australia in early January, 2015. Pete
quickly discovered malware on his new computer. He realized that this
malwareSuperfish Adware had been pre-installed at the Lenovo factory as
part of the Lenovo additions to the pre-installed version of the Windows
operating system. He found that the Superfish Adware had compromised the
Windows network software at a very low level, allowing it to insert its
own script into every single page viewed by a browser. It was at such a
low level that it did not matter which browser was used Explorer, Chrome,
or Firefox it wa was the operating system that was compromised.
Furthermore, it was so deep in the operating system that neither McAfee,
Trend Micro, nor the Microsoft malware removal tool, found the Superfish
software.
Customer Tried to Alert the Company; But Was
Ignored
Peter reported the infected computer to the
store, and they contacted their Lenovo sales rep. However, Lenovo had a
policy of not talking directly to customers about store enquiries, and he
waited. Nothing happened, and so he logged his own call with the Lenovo
Help desk.
But, this was all to no avail. Repeatedly, company spokespeople told this
savvy customer, who was only trying to help, that he was mistaken.
Nothing like this could possibly be happening. “Lenovo doesn’t distribute
Malware.” Pete offered to walk the Lenovo product manager through the
process to demonstrate the existence of the Malware, but nobody ever got
back to him. In the end, the store manager refunded Pete the money
because he was convinced of the issue himself, and he wanted to keep a
valuable customer who had purchased many items at the store in the past
with no problems.
While he was getting the run around from Lenovo, Pete also did a fair
amount of time-consuming due diligence. He checked computers at Lenovo
stores in four cities around the world. He asked other Pioneers to check
their own machines and at local stores.
If Lenovo’s management had paid attention to the customer feedback from
Pete and other customers, their security team might have discovered the
issue, quietly dealt with it, and avoided the ensuing uproar.
Customer Alerts the Press
Pete was
troubled. He’s also a busy guy. He was tempted to move on, but was
troubled by the fact that less tech-savvy consumers would be buying a
spyware-infected computer. He reached out to the other members of the
Pioneers’ forum, including my brothers, Jonathan and Andy Seybold, who
encouraged him to get the word out, and they helped by contacting
reporters they knew at the New York Times.
Luckily, a tech-savvy reporter, Nicole Perlroth, paid attention,
interviewed Pete, and began doing her own investigation.
Other reporters also got wind of the story. The first article that
appeared was written by Timothy Seppala for Endgadget.com.
New Lenovo PCs shipped with Factory-Installed Adware appeared at 1:25
am on February 19th. Timothy based his story on the user
discussions about this adware he found on the Lenovo Forums. It was also
discovered that Superfish used a product from Komodia that corrupted the
machine’s trust store the store of certifiicates that vendors include
that certify that SSL connections can be trusted. The Komodia
certificate opened all infected computers to “man-in-the-middle” attacks
an attack that allows bad guys to impersonate the siites you trust and
capture your traffic.
Nicole Perlroth’s first New York Times article appeared online at
7:44 pm on February 19, 2015,
Researcher Discovers Superfish Spyware Installed on Lenovo PCs, and
in the print edition the next day. Essentially the same story was
published as “Spyware Is Found Installed on PCs Made by Lenovo,”
as well as in newspapers around the world, since it was submitted to, and
distributed by, the Associated Press. It was Peter Horne who revealed to
Nicole the darker truth it wasn’t just thatt adware was being
pre-installed inside the machine's operating system it was tracking every
single page and immage a user was looking at, and sending all the
metadata to the Superfish servers! And it could not be turned off.
Once the story was out, a feeding frenzy quickly spawned lots of
follow-on articles.
The Damage Continues
Lenovo’s stock
price has been hit. The company is now facing
lawsuits. The Lenovo websites are under siege. Many customers have
decided they won’t ever trust the brand again, for either consumer or
business computers.
And there’s more troubling information about to come to light (stay
tuned).
Peter Horne is raising some additional questions:
What’s happening to the massive amounts of personal data that has
already been siphoned off by these services for anyone who is using one
of the affected models of a recently purchased Lenovo consumer PC?
Why is it so easy to spoof the supposedly secure Certificate
Authority on which our global e-commerce infrastructure is built? Look at
how corrupted the Certificate Authority process is. This incident
highlights its incredible flimsiness and vulnerability.
What is visual search, where did it come from and how is it being
used? If Superfish is collecting the photo DNA of all the photos your
mouse touches and combining that information your internet session data,
and mining that data, this is a huge invasion of privacy.
Who are these companies, Superfish and Komodia, and who are the
people behind them? Executives at both companies are open about their
backgrounds in intelligence work in Israel, their work for intelligence
specialist companies, their work on intelligence contracts, and the
decision to move their operations to the U.S. Why haven't they said
anything about their products and services?
The Moral of the Story: Listen to What Your Customers Are
Trying to Tell You!
Don’t ignore your customers’
attempts to warn you about a product or a process flaw that will damage
your reputation! To their credit, Lenovo executives have finally reached
out to Peter Horne (and probably other smart customers) and asked for
their help in keeping similar problems from happening in the future.
After all, if you have smart customers, why not harness their
intelligence to keep you out of trouble? Click
here to read the longer version of this post.
If you were forwarded this message and would like to receive our
weekly customers.com emails, click
here.
