Lenovo Slapped with $3.5M Fine over Superfish

Lenovo is closing the chapter on its ill-advised decision to pre-install adware called Superfish onto a range of laptops without telling customers—with a $3.5 million settlement.

The Chinese PC giant came under fire for pre-loading the code, which was meant to help shoppers by analyzing images on the web and presenting similar product offers with lower prices—thus “helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.”

However, as we reported at the time, it turned out it did this effectively by launching man in the middle (MITM) attacks against users thanks to thousands of fake, self-signed root certificates. They were all signed with the same root certificate, meaning HTTPS security is broken for all of the affected laptops.

Shortly after that, Errata CEO Rob Graham was able to crack the password for the fake certificate, meaning that hackers could technically launch MITM attacks against any of the affected laptops via public Wi-Fi, and they wouldn’t flag any wrongdoing.

“We thought the product would enhance the shopping experience, as intended by Superfish,” Lenovo said in the aftermath. “It did not meet our expectations or those of our customers. In reality, we had customer complaints about the software.”

Now, three years later, 32 states have won a multimillion dollar settlement to resolve allegations that the company violated state consumer protection laws. They claimed that consumer information, including sensitive communications with encrypted web sites, would be collected and transmitted to Superfish, while making their information susceptible to hackers.

Lenovo stopped shipping laptops with VisualDiscovery preinstalled in February 2015, though the states alleged that some laptops with the software were still being sold by various retail outlets as late as June 2015.

"Consumers have a reasonable expectation that their personal information will be protected when they purchase a new personal computer," said Connecticut Attorney General George Jepsen. "In this case, Lenovo instead built software into devices that compromised consumer privacy and failed to make adequate disclosures to consumers that their personal information was being collected and transmitted to a third party. We appreciate Lenovo's cooperation in bringing this matter to an appropriate resolution."


Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/


What’s Hot on Infosecurity Magazine?