The $3.5 Million Check Comes Due for Lenovo And Its Security-Compromising Superfish Adware

from the what-security-and-privacy-problem? dept

You might recall that back in 2015, Lenovo was busted for installing a nasty bit of snoopware made by a company named Superfish on select models of the company's Thinkpad laptops. Superfish's VisualDiscovery wasn't just annoying adware however; it was so poorly designed that it effectively made all of Lenovo's customers vulnerable to HTTPS man-in-the-middle attacks that were relatively trivial for an attacker to carry out. More specifically, it installed a self-signed root HTTPS certificate that could intercept encrypted traffic for every website a user visits -- one that falsely represented itself as the official website certificate.

That's hugely problematic for what should be obvious reasons, but Lenovo doubled down on dumb by issuing a statement initially claiming it didn't see what all the fuss was about and that it was just trying to "improve the shopping experience":

"We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns."

Security researchers didn't agree. Neither, apparently, did the FTC, which this week gave Lenovo what amounts to a stern talking to after the company settled allegations it had turned a blind eye to customer security concerns:

"Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen K. Ohlhausen. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

The full FTC complaint (pdf) against Lenovo makes it clear the Superfish adware used the same bunk security certificate for every user of the stealthware -- every time it covertly interupted secure traffic. And, of course, the complaint notes that Lenovo really couldn't be bothered to explain how any of this was happening to the company's customers:

"Respondent did not make any disclosures about VisualDiscovery to consumers prior to purchase. It did not disclose the name of the program; the fact that the program would act as a man-in-the-middle between consumers and all websites with which they communicated, including sensitive communications with encrypted https:// websites; or the fact that the program would collect and transmit consumer Internet browsing data to Superfish."

Yeah, whoops. One complaint exhibit highlights that while users had the option of opting out of this security-compromising, behavioral advertising effort, Superfish and Lenovo made doing so notably hard to spot:

But again, nowhere was the encryption-compromising aspect of this software disclosed to the end user, even in the finest of fine print in the company's privacy policy. And opting out only prevented users seeing ads dictated by their previous browsing habits; doing so didn't stop the software from faking security certificates and compromising the end user's security.

Lenovo won't be required to pay a dime to impacted users; FTC boss Ohlhausen (who downplayed the severity of the deception in her own statement (pdf)), claims the agency lacks the legal authority to obtain civil penalties for first-time violators under the FTC Act. As part of the settlement Lenovo is prohibited from misrepresenting "features of software preloaded on laptops that will inject advertising into consumers' Internet browsing sessions or transmit sensitive consumer information to third parties." Lenovo must also get explicit consumer opt-in consent before installing similar software in the future, and must implement -- for the next 20 years -- a software security program to more dutifully analyze the security impact of such programs.

A day after Lenovo's settlement with the FTC, the company also struck a $3.5 million settlement (pdf) with a coalition of 32 states for violating user privacy and failing utterly to disclose the dangerous nature of the company's laptop bloatware. In a statement Lenovo proclaimed it had seen the error of its ways, and that "security, privacy and quality are top priorities at Lenovo." Of course this is the same company that shortly after the Superfish fiasco was caught stealthily installing bloatware via laptop BIOS, so hopefully Lenovo won't mind if people wait a little while before declaring the company truly reformed.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: adware, ftc, malware, superfish, tracking
Companies: lenovo


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 7 Sep 2017 @ 12:26pm

    "bloatware via BIOS"

    Of course this is the same company that shortly after the Superfish fiasco was caught stealthily installing bloatware via laptop BIOS

    Don't let Microsoft off the hook there. They intentionally added an antifeature that users can't disable, by which Windows installs whatever the BIOS tells it to. One could say Lenovo abused that, but that implies it's legitimate in the first place.

    link to this | view in chronology ]

    • icon
      Berenerd (profile), 7 Sep 2017 @ 1:07pm

      Re: "bloatware via BIOS"

      Where MS might be to blame for shoddy design, that "feature" was put there for making updating the BIOS easier for users not overly confident in doing so the old fashion way. Where yes, MS has had issues with their OS, this one indeed was requested by many hardware providers for this purpose. MS is simply guilty for failure to test and secure it. Lenovo is far more to blame as it forced bloatware on to people's computers no matter what they did. You could uninstall it, it would just reinstall after the next reboot. You could format the drive and put another copy of windows on the system and it would then load the bloatware. No need to use their version of OS that way.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Sep 2017 @ 1:43pm

        Re: Re: "bloatware via BIOS"

        that "feature" was put there for making updating the BIOS easier for users not overly confident in doing so the old fashion way.

        This has nothing to do with updating the BIOS. It's to make sure software gets installed after doing a clean Windows installation. (Windows pulls software out of the BIOS image, if present, after every reboot, and installs it with administrative privileges. This cannot be disabled.)

        MS is simply guilty for failure to test and secure it.

        And for preventing the user from disabling it. Non-confident users would not intentionally disable the feature, or manually remove whatever got installed; so that it's mandatory, and reinstalls at each reboot, cannot be justified by ease of use.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Sep 2017 @ 2:54pm

          Re: Re: Re: "bloatware via BIOS"

          Interesting - what happens when one installs some linux distro and the bios tries to load malware.exe?

          BlueFirmwareOfDeath?

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 8 Sep 2017 @ 7:27am

            Re: Re: Re: Re: "bloatware via BIOS"

            Interesting - what happens when one installs some linux distro and the bios tries to load malware.exe?

            Nothing, that's not how it works. The BIOS contains a table entry saying "malware.exe" is a Windows program that the OS should install. And Linux ignores that entry, either because nobody cared to add support or because they specifically rejected it as a bad idea. (In theory, they could use binfmt_misc and WINE to run it.)

            link to this | view in chronology ]

        • identicon
          Anonymous Coward, 7 Sep 2017 @ 4:46pm

          Re: Re: Re: "bloatware via BIOS"

          Extraordinary claims require extraordinary proof. You have to prove that *Microsoft* has a feature that allows installation of software from a computer's firmware. Rather than what amounts to a root kit installing software regardless of what Windows does or allows.

          A lot of people blame Microsoft for things other people do because they don't know any better, and this includes people that should know better: ex tech journalists. There is a big difference in the first and second and neither is easy to prove without considerable expertise in the matter of Windows internals and firmware based rootkits. This is something most people, especially journalists, don't have.

          link to this | view in chronology ]

  • icon
    GristleMissile (profile), 7 Sep 2017 @ 1:17pm

    I will trust Lenovo again when...

    Pigs fly, hell freezes over, the skies rain blood, Jared and Cosby travel back in time to stop themselves from being rapists, and Mt. Rushmore grows limbs and roams the land terrorizing cities with its four fire-breathing faces.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Sep 2017 @ 1:18pm

    "One complaint exhibit highlights that while users had the option of opting out of this security-compromising, behavioral advertising effort, Superfish and Lenovo made doing so notably hard to spot:"

    If I didn't know what Superfish is, what it does, or that I had it on my computer, even if I had spotted that opt out button, it's showing on a goddamned web page, so I would have assumed it was some thing that the web page owners had put there.

    And with that assumption, I would have probably ignored it since what's the point of opting out of that particular ad when what'd I'd expect to get if I did is just a different ad. Like hiding the sponsored posts on facebook. All you can do is stop getting ads from a particular company. It doesn't mean you'll get less ads, just different ones.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Sep 2017 @ 1:37pm

    Why do corporations assume that when you buy a computer from them, that they are entitled to spy on your use of the machine, and to also force adds onto you? That shows just how much respect they have for their customers.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Sep 2017 @ 1:47pm

      Re:

      Why do corporations assume that when you buy a computer from them, that they are entitled to spy on your use of the machine, and to also force adds onto you?

      Well, it's a Windows computer, and users have to agree to let Microsoft do that to them. So why not Lenovo?

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 7 Sep 2017 @ 2:56pm

        Re: Re:

        Your wife allows you to .... ahh forget it

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 8 Sep 2017 @ 7:30am

          Re: Re: Re:

          It's not good logic, but I could imagine Lenovo using it. Or more likely they just didn't care, and thought they could get away with it. (Which they probably did--it's likely they still get more money from installing bloatware than they lose in lawsuits about that bloatware.)

          link to this | view in chronology ]

    • icon
      JoeCool (profile), 7 Sep 2017 @ 2:51pm

      Re:

      Because you AREN'T the customer, you're the product. The ad agencies are the customer, and Lenovo is selling YOU to them.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Sep 2017 @ 1:58pm

    Just a reminder that the issue here ran pretty deep: Lenovo installed Superfish, which was provider by a third party developer with promises as to what it was and what it did. That third party just re-branded some software that Komodia sold and pointed it at a fixed address for pushing ads. The problem is, the Komodia software is basically a man-in-the-middle NIT originally developed for the Israeli intelligence service. The developers left the service to start up their own company based on the technology, and sold it to others to bypass https and push/pull data from a user's browser.

    The big issue here is that to do all this, Komodia installed a new root certificate with full system rights. This certificate had an easily guessable password, and was deployed not just to Superfish, but to a large portion of Komodia's customers.

    The end result was that anyone using any software that depended on Komodia's toolkit was loading untrusted and easily fakeable certificates on to their computer, allowing malicious actors to sign their web pages and software with the certificate, guaranteeing it would bypass a large portion of existing security checks.

    So... this gets back to Lenovo, who installed third party software on their systems without doing a dry run to see what it dropped -- the new root certificate should have resulted in an instant "sorry no... do this some other way, or we'll go with a different vendor."

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 7 Sep 2017 @ 2:32pm

    I know people who were in the market for new laptops, and I often pointed out the stories about Lenovo if it was on their list of picks.

    The standard we don't see it as bad as they claim is legal speak trying to lower lawsuit awards. Like the pacemaker that made the news recently because they were patching their units to stop them from being hacked. They claimed it was impossible only could happen in a Homeland script... except they were vulnerable & were in denial to prop up their stock price after someone shorted them before revealing the hack.

    The last thing that matters in anything in business plans now is the consumer. We can get 50 cents per unit for installing this and we get a cut of the ongoing cash, they told us its safe so it must be. Oh if we use the feature in this way, we can make sure its always reinstalled no matter how many times they remove it.

    The FTC giving a "stern" talking to needs to remind consumers there is no one actually protecting you unless the problem can get a serious bodycount.

    We need to give shareholders more value trumps if we do this we've doomed our customers. Shareholders are never really pleased when the value takes a hit because they are forced to pay out millions, but really enjoyed that extra 10 cents in value screwing the consumers got for them. Businesses need to stop worrying about improving shareholder value over anything else, and deliver quality products that don't sacrifice consumers.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Sep 2017 @ 2:48pm

      Re:

      The FTC giving a "stern" talking to needs to remind consumers there is no one actually protecting you unless the problem can get a serious bodycount.

      Not true, as the free and open source software ecosystem does treat user privacy, and continuity of data use seriously.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Sep 2017 @ 10:30am

        Re: Re:

        Not true, as the free and open source software ecosystem does treat user privacy, and continuity of data use seriously.

        Parts of it. Plenty of open-source software phones home without warning (calibre, stellarium, firefox) or logs the user's activities locally (bash, vim, less, firefox). Only in egregious cases will distros normally disable it.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 8 Sep 2017 @ 12:29pm

          Re: Re: Re:

          Firefox has this simple screen that allows you to turn of its reporting,(preferences/advanced/data choices) and in any case reports things that are of practical interest to developers.

          As for local logging, none of it is hidden or covert, and the bash history is useful as it is searchable, and saves a lot of typing when repeating longer commands.

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 8 Sep 2017 @ 4:57pm

            Re: Re: Re: Re:

            Firefox has this simple screen that allows you to turn of its reporting,

            It's been a while, but I found it would open at least one tab and connect to some Mozilla site the first time it was run after creating a profile. Lots of extensions do it too. A workaround is to check the "Work offline" box when creating the profile.

            As for local logging, none of it is hidden or covert

            I don't agree. 'less' never used to log, and then one day I found a .lesshst file (anything starting with "." is considered "hidden" BTW). I was not given any warning about it, and there's no obvious UI feature that needs an on-disk history. Mozilla adds some form of local history every few versions. What indication would anyone have that 'vim' is going to store a list of every file you've ever opened?

            This whole thing is insidious. I don't need to find some shell command or website I visited a month ago; if I did I'd have made a note or bookmarked it. ("repeating longer commands" has nothing to do with history logging, because that doesn't need to go to disk.)

            Occasionally "git status" will show me that some process has shat a history file into my home directory. And then I try to find some setting to disable it—different for every program—or symlink it to /dev/null, replace it with a directory, or run 'chmod 0' for the containing directory. Sometimes none of that works; some programs try really hard to create history files.

            TAILS is nice but I shouldn't have to run a specialized OS to stop my own computer from logging everything I do.

            link to this | view in chronology ]

            • identicon
              Anonymous Coward, 10 Sep 2017 @ 3:53pm

              Re: Re: Re: Re: Re:

              Perhaps you ought to look at Gentoo or Sabyon, and learn how to tailor the compiles to meet you needs of zero logging/ open recent file features.

              link to this | view in chronology ]

  • identicon
    Anonymous Coward, 7 Sep 2017 @ 2:57pm

    There's something fishy in China.

    link to this | view in chronology ]

  • icon
    danderbandit (profile), 8 Sep 2017 @ 10:09pm

    Show me the MONEY!

    So the states sue Lenovo for this breach that affects consumers, Lenovo pays off the states, but does that $$$ go to the consumers who are affected? Of course not! The states are just running a racket to take money from companies and says 'Don't do that anymore!', but the companies are just going to raise there prices or cut quality on their products to make up the difference. The consumers get screwed on both ends. We essentially are the employers of both sides - (purchases keep the companies in business, and the government works for us, right?) but were the only employers who regularly get screwed by their employees!

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.