Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Lenovo Settles FTC Charges Over Superfish Adware

Lenovo has reached a settlement with the U.S. Federal Trade Commission (FTC) and Attorneys General in 32 states regarding the company’s decision to preinstall man-in-the-middle (MitM) software on its laptops.

Lenovo has reached a settlement with the U.S. Federal Trade Commission (FTC) and Attorneys General in 32 states regarding the company’s decision to preinstall man-in-the-middle (MitM) software on its laptops.

The proposed settlement is subject to public comment until October 5. If made final, Lenovo will be prohibited from misrepresenting the features of preloaded software that injects ads into browsing sessions or sends sensitive user data to third parties.

Lenovo is also required to obtain affirmative consent before activating such software, and it must maintain a comprehensive security program for preinstalled applications for a period of 20 years. This program will be subject to third-party audits.

As part of its settlement with state authorities, Lenovo will have to pay a total of $3.5 million. California, one of the states that led the investigation, will receive the largest share, specifically $389,204.

The FTC filed a complaint against Lenovo back in 2015, after security experts discovered that a browser add-on named WindowShopper (VisualDiscovery) from Superfish had been injecting ads into web pages visited by Lenovo laptop owners by using a local proxy and a self-signed root certificate. The application was reportedly installed on hundreds of thousands of laptops in late 2014 and early 2015.

The application basically launched an MitM attack on users’ browsing sessions, allowing it to intercept sensitive information transmitted over the Web. Experts also raised concerns that by replacing legitimate certificates with its own, the Superfish software exposed users to malicious websites that leveraged fake certificates.

The FTC accused Lenovo of failing to inform users that the software acted as an MitM component, activating the software without adequate notice or informed consent, and failing to take measures to assess and address the security risks introduced by the application.

“While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,” Lenovo said in a statement posted on its website.

“After learning of the issues, in early 2015 Lenovo stopped preloading VisualDiscovery and worked with antivirus software providers to disable and remove this software from existing PCs,” the company said. “To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications. Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on its PCs, and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today.”

While members of the FTC unanimously accepted the agreement, Commissioner Terrell McSweeny issued a separate statement pointing out that the agency should have also added a charge related to Lenovo deceptively omitting that the software would alter users’ Internet experience. FTC Acting Chairman Maureen K. Ohlhausen does not agree with McSweeny’s view.

*Updated to clarify that Lenovo will have to pay $3.5 million to the 32 U.S. states

Related: Asus Settles FTC Charges Over Router Security

Related: Oracle Settles FTC Charges Over Java Security Updates

Related: Uber Settles Complaint Over Data Protection for Riders, Drivers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...