Lenovo finally gets fined for pre-installing spyware on its computers
Computer-maker Lenovo is now obliged to pay $3.5 million to settle allegations over the Superfish scandal. On September 6th, 2017, a coalition of 32 state attorneys announced that the company will have to pay for distributing adware in tandem with its products for customers.
The company made a huge mistake when it chose to bundle Superfish adware with its computers back in 2014. The company received a backlash when users started complaining about annoying VisualDiscovery adware (developed by California-based Superfish) in autumn 2014.
In January 2015, China-based Lenovo removed the adware from preloads of new consumer systems. The company also stated that Superfish disabled existing Lenovo machines in the market from activating the ad-supported software. Later, the top-selling computer brand released a tool to help users remove the infamous software from its products.
Activities of Superfish adware can be described as “aggressive”
The described adware could display pop-up ads for the user, inject ads into websites and make them look like they originate from these web pages and this way confuse the user. In addition, it could even employ root-level certificate powers to inject ads to encrypted websites.
According to FTC, VisualDiscovery was used as a “man-in-the-middle” between the users and web pages they visited. The method provided the software access to user’s private information whenever one transferred it over the Internet. This way, victim’s name, login details, payment data and social security numbers could reach Superfish’s servers.
In order to display ads on encrypted websites (HTTPS), the adware used a technique that allowed replacing digital certificates for those sites with VisualDiscovery-signed ones. The software did not appropriately verify whether the websites’ certificates were valid before switching them to its own ones. Besides, an easy-to-crack password was used on all laptops.
Due to the problem, victims’ browsers could not display warnings about dangerous websites with bogus security certificates. The security vulnerability could allow criminals to interfere users’ communications with websites by simply brute-forcing the pre-installed password.
The settlement is pending approval from courts of 32 states
Although Lenovo disagreed with allegations that it “preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” it stated that the company is “pleased to bring this matter to a close after two and a half years.”
However, the settlement is awaiting approval from courts of participating states. If approved, the $3.5 million from Lenovo will be divided into proportional amounts and distributed to those states.