Lenovo fined $3.5m for pre-installed adware that hijacks HTTPS connections
Lenovo has reached a settlement with the United States Federal Trade Commission (FTC), ending a two-and-a-half-year dispute over the company pre-installing problematic third-party adware in hundreds of thousands of laptops sold between late 2014 and early 2015.
The Chinese hardware manufacturer has agreed to obtain affirmative consent from consumers prior to installing adware programs in the future, as well as audited security checks of its software for the next 20 years.
"As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers' internet browsing sessions or transmit sensitive consumer information to third parties," the trade group said in a statement.
New Jersey Attorney-General Christopher Porrino in a separate statement said that his office had finalised terms with Lenovo on behalf of 32 US states, and that the company is required to pay $3.5 million in penalties.
"This is an important settlement for New Jersey consumers, because it sets down a variety of conditions designed to ensure that, going forward, Lenovo will better protect the personal identifying information of consumers, be more transparent about what software is pre-installed on the products it sells, and provide consumers clearer and more accessible ways to opt out of having such software activated -- or present on the machine at all," Porrino said in the statement.
In 2014, Lenovo was found to have shipped software, called Visual Discovery, in its consumer Windows devices that not only injects advertising into search engine results, but also has the capability to intercept and hijack traffic flowing over SSL and TLS connections -- often used by online retailers and banks to secure data -- thanks to the installation of a self-signing certificate authority on affected machines.
"Because of these security vulnerabilities, consumers' browsers could not warn users when they visited potentially spoofed or malicious websites with invalid digital certificates. The vulnerabilities also enabled potential attackers to intercept consumers' electronic communications with any website, including financial institutions and medical providers, by simply cracking the pre-installed password," the FTC said in a statement.
Following the revelation, Lenovo customers were warned to not use their laptops for "any kind of secure transaction", as the software was able to view the contents of connections that should be encrypted, which some security researchers said rendered the last decade of work in making the web secure irrelevant.
According to a former social media manager at Lenovo, the software -- built by advertising firm Superfish -- was designed to "help users find and discover products visually". Visual Discovery presented pop-up ads from Superfish's retail partners -- even on encrypted sites -- whenever the user's cursor hovered over a similar looking product on a website.
"The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine," the social media manager had written on a Lenovo forum back in February 2015.
In early 2015, as a result of user feedback around the software interfering with other digital certificates as well as smart card readers, the product was disabled by Superfish, and Lenovo stopped preloading the software.
Lenovo said on Tuesday that it already has introduced a policy to limit the amount of pre-installed software it loads on its products, and created security and privacy review processes -- actions that it said are consistent with the settlement.
The company also stated that it is not aware of any instances of a third party exploiting the vulnerabilities introduced by the software.