Alert-Lenovo Used Superfish To Spy On Notebook Owners

If you own a newer Lenovo consumer notebook/laptop (Purchased in September 2014 or later) there's a good chance that you have been spied on by Lenovo. Just a few days ago Lenovo admitted that they had installed the "Superfish" adware (more like malware) on a number of consumer-grade notebooks as a "way to enhance the customer experience" when in reality the Superfish software was actually acting as a "man in the middle" allowing it to view any and all web traffic, including encrypted traffic, emanating from an infected laptop. So all that "secure" browsing you've done on your Bank's website, for example, could have been visible to Lenovo/hackers. Comforting, huh?

If you own a Lenovo laptop and weren't aware of this (like I wasn't) you might want to take some measures to protect yourself from any further potential damage. I first became aware of Superfish while listening to Leo Laporte's "The Tech Guy" while at work yesterday. Here's a link to show #1164 where Leo discusses Superfish (around 4 minutes into the show).  Here's a link from a story on ARS Technica discussing Superfish adware/spyware.

Also, if you Google "Superfish" you will find plenty of articles on the matter.

What Should You Do

What if you have a Lenovo laptop and think that it's infected? What should you do?

The first thing I would do is remove Superfish. You could go about it a couple of different ways, the quick and easy way or the "nuclear option". The quick and easy way is to use a tool provided by Lenovo to remove Superfish. Here's a link to Lenovo's support site where they discuss Superfish, the infected laptop models and how to remove Superfish using the tool.

The "nuclear option" would be do a clean install of Windows on your laptop. This involves wiping the drive that has Windows on it and re-installing Windows from a "known" clean Windows disk (not the disk or recovery partition that came with your Lenovo laptop. I know that's a pretty drastic measure but it might be the only way to truly remove Superfish.

What I Am Going To Do

In my case, even though my laptop model is on Lenovo's list of potentially infected models I purchased the laptop in March of 2014 so I supposedly don't have Superfish installed. I ran the tool from Lenovo's site and it indicated that Superfish wasn't on my laptop. I think I'm fairly comfortable with that but I also think my faith in Lenovo has been forever broken. Based on this episode I don't think I will purchase another Lenovo product in the future despite Lenovo's claims that they weren't aware of how bad Superfish was,

The bottom line is that I believe Lenovo knew exactly what Superfish was doing and did nothing about it until they got called out on it. I find that inexcusable but unfortunately in today's tech environment I don't think we really can expect truly anonymous computer/internet use, at least not without going to relatively extreme means. The convenience of always-on accessible anywhere internet comes at fairly steep price, and that price is our privacy. I've made the decision that I'm willing to accept the fact that the odds are that someone could potentially be "spying" on me whenever I'm using the computer. To counter that I do take certain precautions and make sure that I am comfortable with everything I am doing online before I do it. I have also taken some steps to "lock down" my information, by freezing my credit for example, to make it harder for the bad guys to have an impact on me. Am I 100% protected? No, not in the least, but I feel I'm knowledgeable/comfortable enough with the risks.

I think that each of us has to do our own evaluation and come to our own decisions regarding this issue because I don't see these types of "mistakes" going away anytime soon.

Enjoy your Lenovo laptops!