Lenovo to pay $3.5M for selling compromised laptops

Laptop maker Lenovo has agreed to pay $3.5 million and make changes in how it sells laptops in order to settle allegations it sold devices with pre-loaded software that compromised users’ security protections.

The agreement with Connecticut, the Federal Trade Commission and 31 other states was announced on Tuesday after a two and a half year dispute. 

The software in question, called VisualDiscovery, appears to affect Internet Explorer and Google Chrome on the Lenovo laptops sold between August 2014 and January 2015.

 

Lenovo, a major laptop maker, has agreed to pay $3.5 million and make changes in how it sells laptops in order to settle allegations it sold devices  with pre-loaded software that compromised users’ security protections. Pictured: The ThinkPad Helix, which was released during the affected period – although the firm has not released details of exactly which models are hit

THE SOFTWARE’S SECURITY CONCERNS 

By tracking users’ web searches and browsing activity, VisualDiscovery was able to place additional ads on sites they visit and did so without consent.

The FTC complaint alleges VisualDiscovery used and insecure method to replace digital certificates (which signal to a browser that an encrypted websites is authentic) with its own VisualDiscovery-signed certificates, replacing them without first verifying the digital certificates were valid. 

Because of this, the software blocked browsers from warning users when they tried to access malicious websites. 

VisualDiscovery also used the same, low-strength password on all affected laptops rather than creating a unique one for each device.  

The software was also able to access consumers’ sensitive information, including Social Security numbers, login credentials, medical information, and financial and payment information, the FTC said.

The purpose of VisualDiscovery, an ad software from the company Superfish, was to deliver pop-up advertisements.

The Chinese computer manufacturer says VisualDiscovery helps users find products online by analysing images and presenting similar, cheaper products.

But security analysts and the FTC claim that what VisualDiscovery actually does is serve intrusive ads, as well as compromise private information such as bank details and passwords.

The software appears to affect Internet Explorer and Google Chrome on the Lenovo laptops sold between September 2014 and January 2015.

Users first began raising concerns about the software in September 2014.

Lenovo acted as a middle man between users’ browsers and sites – even encrypted ones – they visited.

By tracking users’ web searches and browsing activity, it was able to place additional ads on sites they visit and did so without consent. 

The FTC complaint alleges VisualDiscovery used and insecure method to replace digital certificates (which signal to a browser that an encrypted websites is authentic) with its own VisualDiscovery-signed certificates, replacing them without first verifying the digital certificates were valid.

The software was also able to access consumers' sensitive information, including Social Security numbers, login credentials, medical information, and financial and payment information, the FTC said

The software was also able to access consumers’ sensitive information, including Social Security numbers, login credentials, medical information, and financial and payment information, the FTC said

Because of this, the software blocked browsers from warning users when they tried to access malicious websites. 

VisualDiscovery also used the same, low-strength password on all affected laptops rather than creating a unique one for each device.  

The software was also able to access consumers’ sensitive information, including Social Security numbers, login credentials, medical information, and financial and payment information, the FTC said.

That information was not sent to Superfish, which sold VisualDiscovery, the FTC said.

‘Lenovo compromised consumers´ privacy when it preloaded software that could access consumers´ sensitive information without adequate notice or consent to its use,’ Acting FTC Chairman Maureen Ohlhausen said in a statement.

‘This conduct is even more serious because the software compromised online security protections that consumers rely on.’

The FTC argues Lenovo failed to discover the vulnerabilities because it didn’t properly asses the risks of the third-party software it installed on its laptops. 

Lenovo said in a statement that it stopped selling the pre-loaded software in early 2015 and that it worked with antivirus software providers to disable and remove this software from existing PCs.

It also said it’s not aware of any cases in which a third party exploited users.

‘While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,’ the company said.

‘To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications,’ the company said in an email statement.

As part of the settlement, Lenovo agreed to get consumers’ consent before installing this type of software, the FTC said.

For the next 20 years, the Chinese company must also run a software security program for most consumer software preloaded on its app.

On its own, Lenovo said it has introduced a policy to limit the amount of preinstalled software it loads onto its devices. 

The firm also claims to have created a security and privacy review process. 

Read more at DailyMail.co.uk