Lenovo reached a $3.5m (£2.7m) settlement Tuesday (5 September) with the US Federal Trade Commission and 32 state attorneys general over charges related to malicious Superfish adware that came pre-installed on some of its laptops from August 2014 to February 2015. The Chinese computer firm was found to be selling hundreds of thousands of computers preloaded with third-party software called VisualDiscovery developed by the company Superfish.
The malicious software could track a user's web searches and browsing activity, even when visiting encrypted websites, to place additional pop-up ads from Superfish's retail partners on the sites visited. The software also interfered with how the user's browser interacted with websites and left people open to serious security vulnerabilities, the FTC said.
Lenovo said it was not aware of any actual instances in which a third party exploited these vulnerabilities to gain access to a user's communications.
Although VisualDiscovery only collected and transmitted limited information to Superfish's servers, such as websites the user visited and the consumer's IP address, the "man-in-the-middle" technique allowed the software to access all of a consumer's sensitive personal information transmitted across the web, including login credentials, Social Security numbers, medical data as well as financial and payment data.
To display pop-up ads on encrypted websites, the snooping software used an insecure method to replace the digital certificates for those sites with its own VisualDiscovery-signed certificates. It also did not properly verify that these sites' certificates were valid before replacing them. Instead, it used to same, easy-to-crack password on all affected laptops rather than unique passwords for each device, the FTC said.
"Because of these security vulnerabilities, consumers' browsers could not warn users when they visited potentially spoofed or malicious websites with invalid digital certificates," the FTC said in a statement. "The vulnerabilities also enabled potential attackers to intercept consumers' electronic communications with any website, including financial institutions and medical providers, by simply cracking the pre-installed password."
According to the FTC, as many as 750,000 laptops containing the programme were sold in the US.
Acting FTC Chairman Maureen K. Ohlhausen said: "Lenovo compromised consumers' privacy when it preloaded software that could access consumers' sensitive information without adequate notice or consent to its use. This conduct is even more serious because the software compromised online security protections that consumers rely on."
As part of its settlement with the FTC, Lenovo has agreed to get consumers' affirmative consent before pre-installing such software on its devices and is required to run a comprehensive software security program for most consumer software preloaded on its laptops for the next 20 years that will be subject to audits.
The company is also "prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers' Internet browsing sessions or transmit sensitive consumer information to third parties."
The company added that it stopped pre-installing the software after it was made aware of the privacy concerns and worked with antivirus software providers to disable and remove it from existing laptops.
"Subsequent to this incident, Lenovo introduced both a policy to limit the amount of pre-installed software it loads on its PCs, and comprehensive security and privacy review processes, actions which are largely consistent with the actions we agreed to take in the settlements announced today," the firm said in a statement.