Lenovo in hot water over Superfish adware, but dismisses security worries (updated)

Reports from security consultants, media, and Lenovo users indicate that there’s bloatware pre-installed on recent Lenovo Windows PCs that’s a bit more sinister than a set of superfluous ThinkPad tools. It appears that adware called Superfish had been running on consumer laptops sold by Lenovo between September 2014 and this past January, raising significant security concerns.

In a statement issued on Thursday, Lenovo said although it had disabled Superfish “server side interactions” since January, it could “not find any evidence to substantiate security concerns.” It also promised not to pre-load Superfish in the future, while clarifying that Superfish requires users to approve its terms of use, and that it hasn’t been installed on devices since “December.”

Update: Sometime today, Lenovo changed its statement and quietly removed the line “We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.” The statement was most likely tweaked because there is actually a lot of evidence to back up that Superfish is a security problem. Lenovo also posted a PDF with instructions how to remove Superfish.

The Electronic Frontier Foundation called Superfish “horrifically dangerous” and a “security catastrophe.”

The worst part is, Superfish isn’t even tangentially useful to the consumer. It’s ad-placing software — so far, what it appears to do is to place it own ads against Google search results, which presumably generates income for both Lenovo, and Superfish, which is a privately-held Palo Alto-based company. Lenovo’s statement said that Superfish was included to “to help customers potentially discover interesting products while shopping.”

While ads might be annoying, the real problem with Superfish is the liberties it takes with users machines’ to serve those ads, which resembles a “man-in-the-middle” attack. The adware makes itself an unrestricted root certificate authority in Windows, so it is able to spoof SSL certificates. If you connect to a secure website, such as your bank, from Internet Explorer or Google Chrome on an affected Lenovo laptop, the security certificate will have been signed by Superfish, as opposed to a trusted SSL certificate services provider like VeriSign.

Essentially, this discovery means that HTTPS browsing on an affected Lenovo laptop is insecure. In fact, researchers have already cracked Superfish’s private key — which was the same on all affected laptops — meaning hackers could snoop on encrypted traffic while on the same network, or even install malware under the guise of a trusted program. Simply uninstalling the program doesn’t remove the unrestricted root certificate.

Lenovo is the top PC vendor in the world, according to IDC, and shipped over 16 million PCs in the fourth quarter of last year, part of the time period where Superfish was preinstalled on some devices. Here’s a online test to check whether your device is affected.

Motorola sales double in 2014 as the brand re-enters China

Lenovo reported its earnings for the past quarter on Tuesday. During the quarter, the company officially completed its $2.91 billion acquisition of Motorola from Google.

Lenovo announced its smartphone brand sold over 10 million handsets in the most recent quarter. Sure, that pales against sales figures from giants like Apple and Samsung, but at least it’s going in the right direction.

When Lenovo and Motorola smartphone sales are combined, the company is one of the top five smartphone makers in the world, behind Apple and Samsung and in fierce competition with Huawei and LG.

Lenovo Group’s revenue includes laptop and desktop sales, in which Lenovo is the world market leader. Lenovo reported that total revenue was up 31 percent to $14.1 billion. But Lenovo has thin margins, around 2.8 percent, and managed a net profit of $253 million.

Motorola sales were up 118 percent to $1.9 billion. Lenovo once again confirmed that it plans to sell Motorola phones in China, and said it believes Motorola can become profitable in the next year.

Lenovo also completed its purchase of IBM’s server business for $2.1 billion in October.

More importantly, it appears that the Motorola brand resonates in massive and growing smartphone markets like China and India. Motorola announced Monday on Weibo that it had seen 1 million reservations for the decidedly high-end Moto X. In India, Motorola previously said it had sold 3 million smartphones last year, probably mostly the more affordable Moto E and Moto G models.

Google I/O Motorola Moto 360

Because Lenovo didn’t officially complete its acquisition of Motorola until the end of October, much of this success isn’t from Lenovo’s input — it most likely stems from decisions made while Motorola was a Google company, such as the decision to streamline and simplify its main product line under the Moto moniker. Motorola was the hardware partner for the Nexus 6, Google’s reference device for the latest version of Android. Motorola also produces one of the better-received Android Wear smartwatches, the Moto 360.

Lenovo is expected to announce a new smartphone brand in 2015 for China that will be sold directly to consumers online, following Xiaomi’s model.

Samsung is making less money from phones, but chip sales are up

Samsung Electronics announced a fourth quarter earnings decline on Thursday, its first holiday season drop in three years.

The earnings report wasn’t as gloomy as the past few quarters have been: Samsung made an operating profit of 5.29 trillion won ($4.87 billion) on 52.73 trillion won ($48.6 billion) in revenue. Nearly $5 billion in profits is still a big number, but it’s down from last years 8.31 trillion won in operating profit. Revenue was down from 59.28 trillion won.

Samsung’s struggles in its cash-cow handset division (IT & mobile communications) are well documented: It’s getting beat by Apple on high-end handsets (even in South Korea) and its margins are getting pressured on the low-end from companies such as Xiaomi and Lenovo. In this past quarter, Samsung reorganized much of its mobile executive ranks, firing several VP-level employees, including head of mobile marketing D.J. Lee, while keeping mobile unit head J.K. Shin in charge. Profit from Samsung’s handset division dropped to 1.96 trillion won from 5.47 trillion won in the year-ago period.

Some are wondering whether Apple may have sold more total handsets than Samsung in the most recent quarter. Samsung says its high-end products, specifically the Galaxy Note 4, are seeing “increased sales.”

Photo by Kif Leswing/Gigaom One bright spot in the Samsung Electronics earnings report was for its semiconductor division, which posted a profit of 2.7 trillion won ($2.4 billion). Samsung makes processors as well as memory chips.

Samsung attributed its semiconductor division performance to increased demand for DRAM. But part of it could also be due to Samsung winning contracts for semiconductor fabrication for future Apple iPhones, or it could be because Samsung will likely be using its chips in its own phones instead of ones made by Qualcomm, as has been seemingly confirmed by Qualcomm itself. Samsung also plans to spend more money to boost its chip output, the company said in a statement.

Samsung has already made several major shifts in its handset and overall strategy that haven’t completely shown up in this most recent earnings report.

It has consolidated many of its mid-range devices into a new A Series sporting Samsung’s new aluminum construction, and it appears to be going forward with unique curved displays like those found on the Galaxy Note Edge in future devices. Samsung is also a major player in virtual reality, having released the Gear VR headset in the past few months. It released a phone running its own Tizen operating system, which will start showing up in TVs and other connected durable goods made by Samsung’s consumer-electronics division. In the next year, those decisions will start to have a bigger impact on Samsung’s bottom line.

 

 

Any pen or pencil is a stylus to this Lenovo tablet

Lenovo’s Yoga 2 tablet may have been announced back in October, but the kickstand-equipped tablet is showing off a new trick this week at CES in Las Vegas: It doesn’t need a stylus because any conductive material — like the point of a pencil — can be used to to interact with its touchscreen.

Lenovo calls this feature “AnyPen,” and it’s only available on a special-edition Lenovo Yoga 2 running Windows for now, and only on the 8-inch model. It’s hard to determine what technology enables this feature, but any conductor, even objects like scissors or a screwdriver, can be used as a pointing device. If non-stylus pen support ends up being a largely Lenovo-exclusive feature, I can see it being a major reason to pick up one of the company’s tablets.

Even if you’re not interested in using your junky old pens as a stylus, the special-edition Lenovo Yoga 2 may be a good value. It’s an unusually shaped tablet, with Lenovo’s chunky wedge kickstand hiding a 64oo mAh battery. It’s got a 1920 x 1200 screen that’s powered by a quad-core Intel Atom processor. The special edition will cost $299 when it goes on sale later this month — or $20 more than Yoga 2 tablets without the AnyPen technology.

small_YOGA-Tablet-with-AnyPen-6

Most tablet styluses are capacitive pens, which simply mimic your finger. Others, like the pen that comes with the Windows-running Surface Pro 3, have buttons and require your tablet to have a built-in active digitizer. One thing all stylus-equipped touch devices have in common is indecision on how to incorporate the pen into what should be a thin and light device. Microsoft has an external loop accessory for its Surface pen (although it’s sold separately). Samsung’s Galaxy Note Tab line of Android tablets has a built-in stylus slot, but the holster increases the volume of the device.

Sure, most tablet styli are only used to circle things, but there’s a still a large contingent that appreciates clicking with a writing implement — especially for the desktop version of Windows that might have small points that users need to click on.

ces-2015-3

How LG and Motorola are assailing Samsung

Samsung still enjoys a healthy lead atop the Android smartphone heap, but competitors such as LG and Motorola have shown they are starting to find ways to penetrate its market dominance.

Lenovo is preparing a smart bracelet of its own

Lenovo-Smartband

It seems as if every major computer company wants to make its own wearable bracelet. The latest to jump into the emerging market is Lenovo, which quietly published a product page for a smart band this weekend. There aren’t many details available, but the device — charmingly named the Smartband SW-B100 — has a small screen and promises to track exercise and sleep. It can also be able to be used to unlock a mobile device and display notifications, and it should work with both Android and iOS. Lenovo hasn’t announced a price or U.S. availability yet, but Android Police spotted that it’s been approved by the FCC.