Federal Trade Commission (FTC) and Lenovo: Superfish Epic Fail

Beginning in 2014, Lenovo began selling laptops with an app which was pre-loaded by Lenovo. The app compromised the laptop’s security and has been at the center of issues and the FTC since. The app as installed was VisualDiscovery (Cluley, 2017; Reuters Staff, 2017, and Weise, 2017). This was created by Superfish. The code was designed to insert advertisements into web pages based on the user’s search history (Weise, 2017). This app, in essence, was using a man-in-the-middle attack. The app inserted itself into the user’s encrypted web session (Weise, 2017). In this endeavor, the app gains access to the seemingly secure communications and replaces the authentic certificates with their own. The app and Lenovo computer are able to fully monitor the traffic. This was not a minor issue of a few thousand laptops being sold. This affected approximately 750,000 of their laptops sold. The users who purchased the laptops did not know of the app or the activity. Lenovo stated the pre-loaded software was not included starting with the early 2015 production (Reuters Staff, 2017).

Settlement

Lenovo was sued by the FTC and 32 state attorneys due to their misfeasance (Cluley, 2017). The corporation agreed to a settlement to resolve the issues. This included Lenovo being “…prohibited from misrepresenting any features of software preloaded on laptops that will inject advertising into consumers’ internet browsing sessions or transmit sensitive consumer information to third parties”, agreed to “receive clear consent prior to installing any such software” meaning the consumer has to affirmatively agree to this, have a third party audit Lenovo’s security plan for the next 20 years for any pre-loaded software on their computers, and pay a $3.5M fine. This sounds rather exhaustive, however the impact was not significant.

Impact

As noted there was a $3.5M fine (Cluley, 2017; Reuters Staff, 2017). This may appear initially to be an amount that would jar the executives and bring their attention to the matter. This however is a rather paltry sum relatively, to put it mildly. Lenovo’s 3/31/2017 year end operating profit was $456,941k. The fine, which was intended to cease further activity of this sort and other like activities was 0.77% of the 2017 operating profit. This is, relatively, not a deterrent, but merely a dainty slap on the wrist.

This amount was not sufficient. The percentage effect of this amount is so low, the finance office may offhandedly notice it. This may be characterized more so as a rounding error for Lenovo. The net result was clearly not a deterrent for Lenovo. The FTC has the opportunity to provide a clear message to other manufacturers and the American public. Instead the management chose to not directly address the issue. Had the FTC done the right thing and actually forced a more significant fine, this would have deterred Lenovo from further transgressions against its clients and others. Depending on self-governance by Lenovo has historically been problematic, which may continue as long as they are not hit in their check book.

Resources

Cluley, G. (2017, September 6). Lenovo’s superfish security fiasco ends in a slap on the wrist. Retrieved from https://www.grahamcluley.com/lenovos-superfish-security-fiasco-ends-slap-wrist/

Reuters Staff. (2017, September 5). Lenovo settles charges it sold laptops with compromised user security. Retrieved from https://www.reuters.com/article/us-lenovo-group-usa-ftc/lenovo-settles-charges-it-sold-laptops-with-compromised-user-security-idUSKCN1BG21U

Weise, E. (2017, September 5). FTC settles with Lenovo over a build-in snooping software, $3.5 million fine. Retrieved from https://www.usatoday.com/story/tech/2017/09/05/ftc-settles-lenovo-over-built-snooping-software-scammed-users-computers/632775001

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.