V3 Enterprise Mobility Summit: The discovery that Lenovo installed the Superfish adware on certain laptops proves that consumer devices are still not secure enough for enterprise use, according to experts in the security community.
Lenovo's bizarre decision surfaced earlier in February when several customers reported finding the Superfish adware installed on their machines.
Superfish collects data such as web traffic information using fake, self-signed root certificates and then uses it to push advertisements to the user.
The certificate's nature led to concerns that the adware was leaving Lenovo customers' data open to man-in-the-middle cyber attacks, as University of Surrey professor Alan Woodward explained to V3.
"What this software does is issue its own certificate pretending to be from the site owner which enables it to read everything you're sending to the site. Ostensibly this is so they can monitor what you're interested in and then serve you adverts," he said.
"The trouble is it scoops up everything, including potentially sensitive data. This issuing of certificates trusted by the machine should just not be allowed: it circumvents the entire trust chain on which certificates rely."
Chris Wysopal, chief information security officer and chief technology officer at Veracode, added that the adware could be used to siphon vast amounts of sensitive data.
"Using this certificate and readily available attack tools, attackers could intercept secure banking, email and e-commerce sessions or inject malware while victims use public WiFi," he said.
Lenovo installed Superfish on a selected number of consumer laptops, and chose to keep its business-focused ThinkPad line free of the adware.
Wim Remes, Rapid7's manager of strategic services, cited the appearance of Superfish as evidence that consumer devices are still ill-suited for work purposes.
"That a big vendor like Lenovo lends itself to this kind of practice is a big disappointment. We can not expect each individual user to be able to verify which systems are trusted or not. Everybody in the supply chain has a responsibility that cannot be denied," he said.
"Vendors of consumer hardware, having a vested interest in a secure internet, should hold themselves to a high standard. The security of their users should always prevail over the commercial benefit of adding third-party software to systems."
Woodward agreed, arguing that the Superfish incident should act as a wake-up call to manufacturers.
"It is an extraordinary state of affairs that one of the largest suppliers of PCs in the world is shipping machines with a piece of software that behaves in this way," he said.
"I hope this acts as a wake-up call to manufacturers to stop shipping third-party software with new machines. They may be doing it with the best of intentions but as we know the road to hell is paved with good intentions."
The researchers' comments come during a heated debate about employee use of personal devices for work.
The bring your own device movement is popular among employees, but research by IBM showed that only eight percent of firms let employees use their own laptops.
For a more in-depth look at the IBM research register to watch V3's editorial team discuss the survey.
Also make sure to register for V3's Enterprise Mobility Summit to get further analysis on current and future technology trends.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment