Lenovo’s Superfish security fiasco ends in a slap on the wrist

$3.5 million fine after customers’ privacy and security was compromised.

Graham cluley
Graham Cluley
@
@[email protected]
@gcluley

Lenovo's Superfish security fiasco ends in a slap on the wrist

In 2014, Lenovo started to do something very silly.

In fact, it wasn’t just silly – it was downright dangerous, putting the security and privacy of its customers at risk.

Lenovo, which at the time was the world’s biggest computer manufacturer (and is still the second-biggest), was shipping PCs and laptops with software pre-installed that could compromise your security and privacy.

Sign up to our free newsletter.
Security news, advice, and tips.

The software was called VisualDiscovery, developed by a company named Superfish, and it inserted adverts into webpages such as Google search results. Unwanted ads are unpleasant enough, especially when done without the but Superfish was effectively using a “man-in-the-middle” technique to crack open your browser’s secure communications, by replacing legitimate website certificates with its own.

The “cack-handed” implementation meant that a malicious hacker could exploit affected Lenovo computers to intercept the traffic of innocent customers.

In short, it was a security fiasco, and the Chinese technology firm struggled to regain its users trust in the aftermath.

Now, over two years later, Lenovo has settled charges with the FTC and 32 state attorneys.

As part of the settlement, Lenovo is “prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ internet browsing sessions or transmit sensitive consumer information to third parties.”

In addition, the firm must get the “affirmative consent” of consumers before pre-installing such software, and commit to an externally-audited security program for the next 20 years for any software pre-loaded onto its computers.

Most of the headlines, however, focus on the fine that Lenovo has been hit with: a paltry US $3.5 million.

I’m unconvinced that such a fine sends a strong enough message to other manufacturers not to do something equally stupid.

As we have previously reported, Lenovo did promise to mend its ways shortly after the Superfish debacle came to light, but it has continued to be troubled with issues such as the discovery of privilege escalation vulnerabilities, rootkit-like utilities, dumb default password configurations and security holes in its apps, alongside its corporate website briefly having its DNS entries hijacked by a hacking group in order to play a song from “High School Musical”, and its webpage start page redirecting users to the malicious Angler exploit kit.

I met recently with a Lenovo executive who was keen to acknowledge that the company knew it had screwed up badly in the past, and that it was determined to build a more secure future for itself and its customers. I don’t doubt his sincerity, but ultimately time will tell.

Other companies have successfully turned around their attitudes to privacy and security, if the will is there within Lenovo then hopefully we’ll see success there too, even in the absence of a more substantial financial punishment.

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.