Computer maker Lenovo has been caught shipping computers installed with software that gives it, or a malicious hacker, backdoor access to the PC. Lenovo claims the backdoor is there to, "help customers potentially discover interesting products while shopping," but as The Next Web reported, it also allows a man-in-the-middle attack.
Ignoring the disgusting bit where Lenovo is trying to push shopping/advertising onto their paying customers, this issue highlights the reality that any backdoor baked into any software is accessible by anyone, including malicious hackers. With the U.S. and UK governments both demanding backdoor access to our mobile devices and messaging services, Lenovo's behavior serves as an excellent reminder that we, as consumers, citizens, and subjects, can never tolerate backdoor access in our software.
According to The Next Web, Lenovo was preinstalling software called Superfish onto its Windows PCs from sometime in September to sometime in December. Superfish "installs itself as a root certificate authority on the machine," meaning that it can be used to "impersonate any server’s security certificate as it is one of the highest trust levels on your machine."
In other words, Superfish can be used to make you, the unwitting PC user, think that a website is safe and secure when it is not. It can also be used to "eavesdrop on any secure connection." On a properly secured PC, the user would get a warning when that happened, but thanks to Superfish, no such warning would be issued, because there is a certificate in place that indicates this is all totally fine.
And this is because Lenovo wanted to make an extra buck off you by interfering with your shopping. It's one thing when Google or Facebook make you the product for a "free" service." It's another when a hardware maker is charging you for the hardware and still making you the product.
What makes this particularly egregious is that the PC maker has compromised the security of its users in the process. Lenovo told The Next Web that it disabled the server Superfish talked to in January, disabling the moneygrubbing Superfish was meant to do, but the certificate trusting those shady connections remains a breathtaking flaw waiting to be exploited. If you want to make sure you are not affected by this, you can visit a website that checks and indicates with an image whether or not the certificate is still there, and supplies you with instructions for removal.
Surely the Chinese government to whom Lenovo ultimately answers to wouldn't take advantage of this, right? Or the U.S.'s National Security Agency? Or one of a hundred criminal gangs of Russian hackers? No, surely not.
As noted up top, this situation illustrates that backdoor access must not be built into consumer software. Western governments and Eastern governments alike feel entitled to such access, but when they have it, everyone else has it, too.
Increasingly it seems there is only one technology giant fighting for our right to privacy, and that's Apple. This is just another bullet point to that effect.