recommended reading

Threatwatch

Lenovo Settles with FTC over Security-Disabling Adware

Man-in-the-middle attack

Chinese technology company Lenovo settled a lawsuit with the Federal Trade Commission and 32 states over preinstalled adware that compromised some laptop users’ security, the agency announced Sept. 5.

The FTC said the adware was installed on hundreds of thousands of laptops and operated without consumers’ consent or knowledge.

According to FTC, in 2014 Lenovo started installing a man-in-the-middle software called Visual Discovery made by SuperFish. The software circumvented the user’s browser security protocols—even for encrypted websites—to serve up pop-up ads. Visual Discovery could also collect the information a user entered into a webpage, like names, addresses and more sensitive information such as Social Security numbers and payment information, though FTC said Visual Discovery collected “more limited” information.

This vulnerability, however, could have been exploited by other parties because Visual Discovery swapped out the digital certificates that authenticate websites for its own, a practice that would prevent users from getting a warning about spoofed or possible malicious websites. The affected laptops also had the same “easy to guess” password.

“Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use,” said Acting FTC Chairman Maureen Ohlhausen said in a statement. “This conduct is even more serious because the software compromised online security protections that consumers rely on.”

The settlement requires Lenovo get consumers’ “affirmative consent” before preinstalling software that serves ads in users’ web browsers. The company must implement a comprehensive software security program for most preloaded software for 20 years and is subject to third-party review.

“While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after 2-1/2 years,” said a Lenovo statement. The company also said it stopped installing the software in early 2015 and worked with anti-virus makers to disable and remove it from existing laptops.

sector

Technology

reported

September 5, 2017

reported by

Reuters

number affected

Unknown

location of breach

Unknown

perpetrators

Unknown

location of perpetrators

Unknown

date breach occurred

Unknown

date breach detected

Unknown