Lenovo’s Superfish security fiasco ends in a slap on the wrist

$3.5 million fine after customers’ privacy and security was compromised.

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

Lenovo's Superfish security fiasco ends in a slap on the wrist

In 2014, Lenovo started to do something very silly.

In fact, it wasn’t just silly – it was downright dangerous, putting the security and privacy of its customers at risk.

Lenovo, which at the time was the world’s biggest computer manufacturer (and is still the second-biggest), was shipping PCs and laptops with software pre-installed that could compromise your security and privacy.

Sign up to our free newsletter.
Security news, advice, and tips.

The software was called VisualDiscovery, developed by a company named Superfish, and it inserted adverts into webpages such as Google search results. Unwanted ads are unpleasant enough, especially when done without the but Superfish was effectively using a “man-in-the-middle” technique to crack open your browser’s secure communications, by replacing legitimate website certificates with its own.

The “cack-handed” implementation meant that a malicious hacker could exploit affected Lenovo computers to intercept the traffic of innocent customers.

In short, it was a security fiasco, and the Chinese technology firm struggled to regain its users trust in the aftermath.

Now, over two years later, Lenovo has settled charges with the FTC and 32 state attorneys.

As part of the settlement, Lenovo is “prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ internet browsing sessions or transmit sensitive consumer information to third parties.”

In addition, the firm must get the “affirmative consent” of consumers before pre-installing such software, and commit to an externally-audited security program for the next 20 years for any software pre-loaded onto its computers.

Most of the headlines, however, focus on the fine that Lenovo has been hit with: a paltry US $3.5 million.

I’m unconvinced that such a fine sends a strong enough message to other manufacturers not to do something equally stupid.

As we have previously reported, Lenovo did promise to mend its ways shortly after the Superfish debacle came to light, but it has continued to be troubled with issues such as the discovery of privilege escalation vulnerabilities, rootkit-like utilities, dumb default password configurations and security holes in its apps, alongside its corporate website briefly having its DNS entries hijacked by a hacking group in order to play a song from “High School Musical”, and its webpage start page redirecting users to the malicious Angler exploit kit.

I met recently with a Lenovo executive who was keen to acknowledge that the company knew it had screwed up badly in the past, and that it was determined to build a more secure future for itself and its customers. I don’t doubt his sincerity, but ultimately time will tell.

Other companies have successfully turned around their attitudes to privacy and security, if the will is there within Lenovo then hopefully we’ll see success there too, even in the absence of a more substantial financial punishment.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.