The Federal Trade Commission (FTC) just slapped Lenovo with a $3.5 million fine for risking users’ security with third-party adware pre-installed on its devices. Lenovo has been in a dispute with the FTC for two and a half years over this issue. The laptops that came with pre-installed adware were sold from late 2014 until early 2015 and posed some serious security risks.
The matter has become known as the Superfish bloatware issue because many consumers purchased Lenovo laptops with third-party adware called VisualDiscovery, made by a company called Superfish. As the FTC revealed, the software could access consumers’ personal and sensitive information, including social security numbers, log-in information, and other sensitive details.
As part of the settlement with the FTC, Lenovo has now agreed to pay a $3.5 million fine and take steps to prevent such mishaps from re-occurring in the future. For instance, Lenovo pledged that from now on, before installing any software programs on its devices, it will ask for user consent. At the same time, Lenovo has also agreed to audited security checks for the next two decades to ensure that its software no longer poses such threats.
“This is an important settlement for New Jersey consumers because it sets down a variety of conditions designed to ensure that, going forward, Lenovo will better protect the personal identifying information of consumers, be more transparent about what software is pre-installed on the products it sells, and provide consumers clearer and more accessible ways to opt out of having such software activated – or present on the machine at all,” said Attorney General Christopher S. Porrino.
The settlement also prohibits Lenovo from misrepresenting the features of the software that comes pre-loaded on laptops and adds advertising to users’ online browsing sessions or shares sensitive user information with third parties.
VisualDiscovery basically acted as a local proxy, injecting advertising into search engine results and standing between the user’s browser and all websites accessed, whether they were encrypted or not. Because it acted as a “man in the middle,” the software could not only see all information the user transmitted over the internet but also collect all that data and send it to Superfish.
When users shopped online, for instance, VisualDiscovery would act as a shopping assistant and serve pop-up ads with similar products from various Superfish retail partners. VisualDiscovery would remain enabled on laptops until consumers specifically opted out. The software could intercept traffic transmitted via TSL and SSL connections, which banks and online retailers often use to secure the information.
The security vulnerabilities also prevented users’ browsers from issuing warnings when users visited potentially malicious websites with invalid certificates. According to the FTC, potential attackers could take advantage of such vulnerabilities to intercept users’ communications with all websites, including banks and more, by cracking the pre-installed password.
After consumers complained that VisualDiscovery interfered with digital certificates, Superfish disabled the software and Lenovo stopped pre-installing it on Windows laptops.
In a statement to Reuters, Lenovo says that it doesn’t agree with the allegations made in the complaints, but it wanted to resolve the matter nonetheless. The company further adds that it is not aware of any instances in which a third party exploited the vulnerabilities to access consumers’ communications.
[Featured Image by Faiz Zaki/Shutterstock]