Lenovo has settled charges with the FTC and 32 state attorneys for shipping laptops preinstalled with the Superfish adware back in 2014 and 2015.
According to a decision published on the FTC’s website, the Chinese hardware vendor has dodged crippling financial penalties. Instead, the FTC has “prohibited” Lenovo from “misrepresenting any features” in case it will ever decide to install adware on users’ laptops. Further, the company must get affirmative consent from users before pre-installing any adware on their devices, something you’d expect companies would do in the first place.
In addition, also part of the settlement, Lenovo will be required to set up a software security program for any software preloaded on its laptops. The company is required to run the program for the next 20 years, and the FTC will subject Lenovo to third-party audits on the program’s implementation.
Punishment is a joke
The entire punishment is a joke taking into consideration what it’s about. Starting with August 2014, Lenovo sold hundreds of thousands of laptops that came pre-installed with a software called VisualDiscovery, developed by a company named Superfish, Inc.. Estimates range from 750,000 to 800,000.
VisualDiscovery was designed to show popup ads whenever users hovered their mouse over certain electronics products, and more. In order to support this behavior, the software used a Man-in-the-Middle (MitM) technique to intercept all of the user’s Internet traffic.
While intercepting HTTP traffic is easy, in order to intercept HTTPS traffic, VisualDiscovery installed its own digital certificate. The problem was that this digital certificate was the same on all devices, and it did not verify the validity of SSL certificates for any website it intercepted.
These two glaring security holes would have allowed anyone to create malware that could have tapped into VisualDiscovery’s insecure MitM technique and intercept web traffic from Lenovo laptops.
While Superfish only collected advertising-related data from Lenovo laptops, consumers didn’t feel at ease with a company they never heard of having untethered access to all of their data, such as passwords, financial data, medical information, or anything else they would have shared via the Internet using their Lenovo laptops.
Superfish adware removed, Lenovo faced class-action lawsuits
After the Superfish adware scandal broke out, Lenovo apologized and worked with industry experts to remove VisualDiscovery from all affected laptops.
Users also filed several class-action lawsuits, some of which were eventually settled. Some attacks using Superfish were detected in the wild.
An FTC complaint was filed soon after. Yesterday’s settlement is only a proposal. The FTC will listen for public comment for 30 days before making it final or adjusting the punishment.