Lenovo, one of the world’s largest computer manufacturers, has agreed to settle charges by the Federal Trade Commission and 32 State Attorneys General that the company harmed consumers by pre-loading software on some laptops that, “compromised security protections in order to deliver ads to consumers.”. You can read more about the original complaint here involving the Superfish vulnerability. Last Monday, the FTC announced that Lenovo will now be required to notify its customers of all the software that comes pre-loaded on their products. They will also be required to garner the user’s consent. Additionally, Lenovo will be subjected to 20 years of security audit checks along with a $3.5 million dollar penalty.
What was Superfish?
The Superfish bug refers to a piece of pre-installed OEM software on an estimated 750,000 Lenovo computers. Superfish is named after the company that produced the VisualDiscovery software that Lenovo bundled with it’s equipment. The exploit served as a man-in-the-middle attack which injected ads into users’ web browsers on behalf of its retail partners. This software provided private information of end user’s and allowed a method by which hackers could gain access to encrypted communications. Lenovo commented on the matter in a press release,
“While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years…Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on PCs, and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today.”
While the tech giant has settled the dispute, it’s a bit unnerving that they do not own up to their mistake which leaves me less-than-reassured. If you have a Lenovo laptop produced from August 2014 to February 2015 – you can go here to find out if you are still running the exploit.