Play Live Radio
Next Up:
Available On Air Stations

Lenovo Sued Over Superfish Adware


We keep hearing about cyberattacks on Target, Sony and the insurer Anthem. Now a class-action lawsuit filed last week claims the world's biggest computer maker made things easier for hackers. The suit claims that last September, Lenovo started installing software on some of its notebooks to track shopping habits but in the process, created a gigantic security hole that could expose sensitive information. Lenovo told NPR it has stopped installing Superfish, but critics say a lot of users are still vulnerable. And for more, we contacted Jordan Robertson of Bloomberg News. Good morning.

JORDAN ROBERTSON: Good morning, Renee. Thanks for having me.

MONTAGNE: Let's start with the software that Lenovo has been installing. It's called Superfish. What exactly is it?

ROBERTSON: This was a technology that not a lot of people had heard of before this. And obviously, everyone's heard Lenovo, the biggest PC maker on the planet. They sell 60 million PCs a year. And at some point last year, Lenovo had decided to ink an agreement with this very small company called Superfish to pre-install this software. What the technology does is, you know, it looks at images that you're mousing over on your screen. And it recommends other images around the web that - if you're looking at a couch, let's say, it'll find another couch that might be cheaper than the one you're shopping for - on its own a pretty innocuous function.

MONTAGNE: Innocuous - although I must say rather irritating.

ROBERTSON: Irritating...

MONTAGNE: This is a couch they want you to see.

ROBERTSON: Yeah, it's irritating but on its own, not necessarily a security problem. But the way this technology displays those ads is a huge security problem because if somebody's sitting on the same network, it will be trivial to intercept every e-mail you type and every password you enter. And that's a big problem.

MONTAGNE: Why do you think Lenovo installed something that had such potential for cyberattack?

ROBERTSON: There are two answers to that. The first one is that Lenovo - we've talked to them extensively. They've done, you know, a very aggressive job of coming out and trying to fix this. What they say is, you know, we wanted to offer a service that would benefit our users. They received what they describe as a small payment from Superfish to pre-install this technology. And that's really the key here - is that companies like PC makers, mobile handset makers - they're looking for ways to squeeze any extra pennies they can. Anytime you buy a machine, whether it's a PC or a phone, you get all kinds of stuff you can't remove.

And if it's just bloatware and adware, that's one thing. But when it creates a security hole, and it's baked into the operating system - that's the thing here that Lenovo has done that has been jaw-dropping for some security experts. Lenovo absolutely knew what it was doing. They knew the modifications that they had to make to make the software work as it's supposed to. So to Lenovo's credit, they've partnered with Microsoft, they've partnered with Symantec and McAfee and other companies so that those programs will wipe Superfish from your computer. But there's a big catch there. And that's, you know, we've seen figures that - maybe, like, a third of all users actually get updates because updates are annoying. So Lenovo could do whatever it wants, but the cat's out of the bag.

MONTAGNE: Jordan Robertson reports on cybersecurity for Bloomberg News. Thank you very much for coming in.

ROBERTSON: Thank you for having me. Transcript provided by NPR, Copyright NPR.