On September 5, 2017, the Federal Trade Commission announced that Lenovo had agreed to settle charges by the FTC and 32 State Attorneys General that the company had harmed consumers by pre-installing software on certain laptops that compromised security and allowed for ad delivery to consumers.
The FTC complaint alleges that Lenovo began selling consumer laptops in the United States in August of 2014 that came with “man-in-the-middle” software. The software, VisualDiscovery, interfered with the user’s browser and changed how it would interact with websites. Ultimately, this created serious security vulnerabilities.
Superfish Inc. created the VisualDiscovery software, which was ultimately installed on hundreds of thousands of Lenovo computers. The software caused users’ computers to experience pop-up ads from Lenovo’s retail partners. The ads generally popped up when the user would hover over a similar product on a website. The VisualDiscovery software behaved like a middle man between the browser and the website.
Simultaneously, the software allowed access to the consumer’s personal information without their knowledge or consent. Login credentials, Social Security numbers, financial information, and medical information could have been captured in this manner. Ultimately, VisualDiscovery collected and sent limited information to Superfish’s servers, but the company had the opportunity to collect much more.
The VisualDiscovery software was even capable of displaying pop-up ads on encrypted websites. It did so by removing the digital certificates of the encrypted website and replacing it with VisualDiscovery-signed certificates. The FTC claims that VisualDiscovery did not adequately verify the sites’ digital certificates before replacing them. The software also used an easy to crack password on all impacted websites, instead of creating a unique password for each laptop.
This created security vulnerabilities that prevented the browsers from warning users that they had visited spoofed or malicious websites with invalid digital certificates. These vulnerabilities also made it possible for attackers to intercept consumer data. The FTC complaint alleges that Lenovo did not discover these vulnerabilities, because the company failed to properly assess and address security risks associated with preloading third-party software onto its laptops.
Under the settlement, Lenovo will be prohibited from misrepresenting any features of software that has been preloaded on laptops that may inject advertising into the users’ browser or transmit sensitive consumer information to third parties. The company will also be required to get the consumers’ permission before pre-installing this type of software. The company will be required to implement a comprehensive software security program for most consumer software that will be preloaded on its laptops.
This program will be required to remain in place for 20 years and it will be subject to third-party audits.