Lenovo, FTC to Settle Superfish Adware Complaint
Superfish Used a Self-Signed Root Certificate to Inspect All TrafficLenovo will pay $3.5 million to the U.S. Federal Trade Commission and 32 states to settle a case brought against it over advertising software with serious security issues that was preinstalled on thousands of the company's laptops.
See Also: Using the Netskope HIPAA Mapping Guide
The VisualDiscovery software, made by a company called Superfish, monitored a user's internet browsing and injected pop-up ads for products from vendors with which Superfish had a business relationship.
VisualDiscovery used an invasive way to view internet traffic. It terminated encrypted connections with a website and reinitiated its own connection, allowing it to monitor traffic that had been protected by SSL/TLS.
It further raised alarm after security experts found that the way the system had been implemented had other security flaws. The software shipped on a wide variety of Lenovo laptops between August 2014 and February 2015.
The FTC alleged Lenovo violated the Federal Trade Commission Act, which addresses unfair or deceptive trade practices. In a statement on its website, Lenovo says that "while Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years."
In addition to the penalty, which was described by New Jersey's Attorney General Office, Lenovo has had other restrictions placed on it.
Lenovo will be required to get consent before preinstalling advertising software and can't misrepresent software features. It also must develop a security program, which will run for 20 years, that will review preloaded software installed on laptops.
The settlement is tentative. The FTC will accept public comments on it through Oct. 5, after which the commission will decide whether to issue a final order.
Man-In-The-Middle
When security experts began to analyze Superfish in early 2015, their findings were surprising.
For websites that use SSL/TLS, the traffic exchanged between a person's browser and a particular service is encrypted. But that made it difficult for VisualDiscovery to deliver pop-up ads for those websites. To get around that, VisualDiscovery installed its own self-signed root certificate that resided in the local certificate store. When someone browsed to a site with SSL/TLS, it terminated the connection and started a new one using its own certificate, allowing it to inspect the traffic.
One of the immediate problems spotted was that Lenovo installed the same root certificate for VisualDiscovery on every computer. Researchers soon discovered the weak password (see Lenovo Drops Superfish Adware). That meant that any attacker on the same network could intercept and decrypt traffic. So anyone going to a banking site, health-related site or e-commerce site could have their traffic intercepted and read.
When the uproar started, Lenovo initially defended the preinstalled software by saying it enhanced user experiences. But it eventually backed down. It wrote on Twitter on Feb. 20, 2015: "We're sorry. We messed up. We're owning it. And we're making sure it never happens again."
In the days following the mea culpa, Lenovo issued a tool that removed VisualDiscovery, while companies, including Microsoft and Trend Micro, tweaked anti-malware programs to quarantine it.
Commissioners Disagree
One issue in the FTC's case against Lenovo was whether consumers were adequately notified of VisualDiscovery and how it worked. That sparked a disagreement between two members of the commission over whether Lenovo was intentionally deceptive.
The FTC alleged that consumers saw a pop-up window alerting them to the software the first time an e-commerce site was visited. But merely closing the window actually opted them into the application.
The FTC also alleged that consumers were not made aware that the software would be tracking them around e-commerce websites, compromising their privacy and security and slowing the performance of the sites visited.
In a written statement, FTC Commissioner Terrell McSweeny writes that because of those alleged behaviors, the agency should have described additional deceptive conduct within the complaint.
"I believe that if consumers were fully aware of what VisualDiscovery was, how it compromised their system, and how they could have opted out, most would have decided to keep VisualDiscovery inactive," she writes. "The FTC should not turn a blind eye to deceptive disclosures and opt-ins, particularly when consumers' privacy and security are at stake."
But Acting Chairman Maureen K. Ohlhausen disagreed with McSweeny. She writes in a separate statement that Lenovo did not disclose the man-in-the-middle behavior, but it "did disclose that the software would introduce advertising into consumers' web browsing, although its disclosure could have been better. Furthermore, to the extent ordinary consumers expect anything from advertising software, they likely expect it to affect their web browsing and to be intrusive, as the popularity of ad blocking technology shows.
"In short, although VisualDiscovery's ad placement and effect on web browsing may have been irritating to many, those features did not make VisualDiscovery unfit for its intended use," she continues. "Therefore, I do not find Lenovo's silence about those features to be a deceptive omission."
Near the end of her opinion, Ohlhausen notes that the disagreement with McSweeny doesn't have an effect on the outcome of the case.