V3 Enterprise Mobility Summit: The discovery that Lenovo installed the Superfish adware on certain laptops proves that consumer devices are still not secure enough for enterprise use, according to experts in the security community.
Lenovo's bizarre decision surfaced earlier in February when several customers reported finding the Superfish adware installed on their machines.
Superfish collects data such as web traffic information using fake, self-signed root certificates and then uses it to push advertisements to the user.
The certificate's nature led to concerns that the adware was leaving Lenovo customers' data open to man-in-the-middle cyber attacks, as University of Surrey professor Alan Woodward explained to V3.
"What this software does is issue its own certificate pretending to be from the site owner which enables it to read everything you're sending to the site. Ostensibly this is so they can monitor what you're interested in and then serve you adverts," he said.
"The trouble is it scoops up everything, including potentially sensitive data. This issuing of certificates trusted by the machine should just not be allowed: it circumvents the entire trust chain on which certificates rely."
Chris Wysopal, chief information security officer and chief technology officer at Veracode, added that the adware could be used to siphon vast amounts of sensitive data.
"Using this certificate and readily available attack tools, attackers could intercept secure banking, email and e-commerce sessions or inject malware while victims use public WiFi," he said.
Lenovo installed Superfish on a selected number of consumer laptops, and chose to keep its business-focused ThinkPad line free of the adware.
Wim Remes, Rapid7's manager of strategic services, cited the appearance of Superfish as evidence that consumer devices are still ill-suited for work purposes.
"That a big vendor like Lenovo lends itself to this kind of practice is a big disappointment. We can not expect each individual user to be able to verify which systems are trusted or not. Everybody in the supply chain has a responsibility that cannot be denied," he said.
"Vendors of consumer hardware, having a vested interest in a secure internet, should hold themselves to a high standard. The security of their users should always prevail over the commercial benefit of adding third-party software to systems."
Woodward agreed, arguing that the Superfish incident should act as a wake-up call to manufacturers.
"It is an extraordinary state of affairs that one of the largest suppliers of PCs in the world is shipping machines with a piece of software that behaves in this way," he said.
"I hope this acts as a wake-up call to manufacturers to stop shipping third-party software with new machines. They may be doing it with the best of intentions but as we know the road to hell is paved with good intentions."
The researchers' comments come during a heated debate about employee use of personal devices for work.
The bring your own device movement is popular among employees, but research by IBM showed that only eight percent of firms let employees use their own laptops.
For a more in-depth look at the IBM research register to watch V3's editorial team discuss the survey.
Also make sure to register for V3's Enterprise Mobility Summit to get further analysis on current and future technology trends.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software