FTC spanks Lenovo for bundling security-compromising adware on laptops
Lenovo has settled with the Federal Trade Commission after selling laptops with VisualDiscovery adware pre-installed. The Superfish-developed adware was installed without users' consent and made machines vulnerable to man-in-the-middle attacks.
On top of this, the adware shared users' browsing data with third parties. As part of the settlement, Lenovo must gain explicit consent from users before engaging in similar tactics in the future, and must not misrepresent software that serves to inject ads into browsing sessions. The FTC did not, however, prohibit Lenovo from installing adware on its hardware, nor did it impose a financial penalty on the Chinese company.
The complaint against Lenovo was lodged back in 2014. Between 2014 and 2015, Lenovo sold hundreds of thousands of laptops with VisualDiscovery software pre-installed, which itself used a man-in-the-middle technique to intercept users' web traffic, analyze it, and serve up ads.
The technique was used for both HTTP and HTTPS traffic, and in order to work over secure connections, VisualDiscovery installed a digital certificate masquerading as the certificate for the site being visited. Users' security was compromised by the fact that every security certificate was the same between devices, and it meant that the validity of actual SSL certificates was not checked.
Announcing details of the settlement, the FTC said:
As part of the settlement with the FTC, Lenovo is prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers' Internet browsing sessions or transmit sensitive consumer information to third parties. The company must also get consumers' affirmative consent before pre-installing this type of software. In addition, the company is required for 20 years to implement a comprehensive software security program for most consumer software preloaded on its laptops. The security program will also be subject to third-party audits.
Lenovo says that it disagrees with the allegations made in the initial complaint, but is happy that the matter has been brought to a conclusion:
Today it was announced that Lenovo has reached settlements with the Federal Trade Commission (FTC) and a coalition of thirty-two U.S. states to resolve their concerns related to the third-party "VisualDiscovery" software that Lenovo preinstalled on certain consumer laptop products in late 2014 and early 2015. While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years.
After learning of the issues, in early 2015 Lenovo stopped preloading VisualDiscovery and worked with antivirus software providers to disable and remove this software from existing PCs. (Those instructions can be found on the Lenovo website here.) To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user's communications. Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on its PCs, and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today.
Product security, privacy and quality are top priorities at Lenovo. We have a responsibility to deliver products and solutions that maintain the high standards we set for customer experience while also protecting the privacy, integrity, and availability of our customers' data. For more information on Lenovo’s current and comprehensive approach to product security, please visit the Lenovo Security Vault at: http://www3.lenovo.com/us/en/product-security/landing.shtml.
Full details of the settlement can be found on the FTC website.