Lenovo Fined Over Superfish Adware-ridden Laptops

Image copyright Reuters

Computer-maker Lenovo has agreed to pay US states $3.5m (£2.7m) to settle allegations that it sold laptops with pre-loaded adware that compromised buyers' security without warning.

The company has also agreed to seek consumers' consent before installing any such software in the future.

Lenovo faced uproar when it emerged in 2015 that it had hidden an advert-delivering program made by Superfish on hundreds of thousands of computers.

It later provided a tool to remove it.

US Federal Trade Commission investigators have alleged that Lenovo first started selling compromised laptops in August 2014.

The software involved was called VisualDiscovery, and was made by the California-based start-up Superfish.

It was designed to show pop-up ads from retailers when users hovered their cursors over related products on a website.

Owners began complaining about the issue, on the Lenovo's own forums, in late-2014.

But the discovery got picked up by the mainstream media only the following year, after security researchers reported that the code worked by substituting its own security key for the encryption certificates used by many websites and did so in a sloppy manner.

"VisualDiscovery... did not adequately verify that the websites' digital certificates were valid before replacing them, and then used the same easy-to-crack password on all affected laptops," the FTC said.

The watchdog said the software had put "login credentials, social security numbers, medical information, and financial and payment information" at risk.

In addition, the watchdog said, it had blocked browsers from warning users if they visited spoofed or otherwise malicious websites.

Although Lenovo was apparently unaware of the security risks, the FTC alleged that this was only because it had failed to properly vet the software.

Lenovo's financial penalty will be shared by 32 US states.

In addition, the company has agreed to implement a software security compliance programme that it must allow an independent third-party to check at regular intervals for the next 20 years.

Superfish closed in May 2015 following the scandal, and its founder repurposed its object-recognition technology via a new company, JustVisual.