Lenovo Faces No Significant Penalty for Security-Destroying Superfish Debacle – ExtremeTech

This site may earn affiliate commissions from the links on this page. Terms of use.

The shovelware PC OEMs ship on their hardware is definitionally terrible; the handful of exceptions to this only serve to prove the rule. In early 2015, however, news broke that Lenovo hadnt simply shipped poor bundled software, but had fundamentally destroyed internet security on its products in the process. The entire sorry affair exposed a dearth of appropriate safeguards at the PC manufacturer, including the lack of meaningful software or oversight over the bundling process.

An estimated 750,000 PCs were sold with Superfish installed in the US. Lenovos initial fix merely removed the offending software, as opposed to closing the gaping security hole it had opened.

To refresh your memory: Superfish was the name of a developer behind an app called VisualDiscovery. VisualDiscovery injected advertising into websites you visited, including websites using HTTPS. Superfishbroke internet security by issuing its own self-signed certificate of authenticity, thereby guaranteeing HTTPS wouldnt work properly on any site and youd never even know this was the case.

Making matters worse, Superfish only ever used one certificate key on every system. This is the classic architecture of a man-in-the-middle attack, except its one Lenovo perpetrated against its own users. The crazy part: Lenovo actually knew about this behavior, told Superfish to remove it, and then never checked to see if the company had done so.

Superfishs valuable service in action.

In the aftermath of Superfish, 32 states and the FTC launched a joint case against Lenovo, and that case has now concluded with a settlement. It includes no meaningful penalty for Lenovo, which is not required to admit wrongdoing, and is fined just $3.5 million (split among 32 states). The only requirements Lenovo faces are the need to receive affirmative consent from users before installing any data-gathering or ad-serving application on their PCssomething that shouldnt even be on the table,given that Lenovo pledged to stop shipping PCs contaminated with bloatware back in 2015and to run third-party security audits every other year on its bundled software for the next 20 years. Given that these audits should be running anyway, theres no actual penalty here, unless being required to perform minimal security due diligence counts as a penalty.

Lenovo, meanwhile, couldnt resist letting the world know it disagrees with even this tiny non-penalty. In a statement, the company said: While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close. This is perfectly in keeping with Lenovos demeanor throughout Superfish. The company first argued it didnt compromised security, then claimed the entire issue was overblown because no one was known to have taken advantage of itremember, no one could tell if it had been exploited, since it broke HTTPS security in the first placewith the memorable dodge that all of this was somehow acceptable because ThinkPad users (aka, users Lenovo cares about) werent affected. Lenovo was evidently just warming up the ThinkPad excuse, because it trotted it out again a few months later when caught in another security snafu.

This type of non-penalty penalty illustrates part of why American citizens take digital security so lightly, and why breaches, attacks, and ransomware outbreaks keep getting worse. You can call this an offshoot of regulatory capture if you like, or see it as part of a positive reinforcement cycle between large corporations, which broadly seek to mine as much data as possible for earning money, and first-world governments, which hoover up huge amounts of data in the name of national security.

There is no excuse for Lenovos decision to ship broken software to 750,000 US customers. But theres also no excuse for allowing cataclysmic security breaches like this to go unpunished except, of course, that few care about security.

Lenovo never cleaned house. It never performed more than the most perfunctory attempts at public apology, and it cant help telegraphing its own resentment that it had to pay a pittance for the collective aggravation and genuine security threat it imposed on its own customers. In the aftermath of Superfish I wrote that I refuse to recommend laptops from Lenovo to anyone, for any reason. Thats still the case.

Visit link:
Lenovo Faces No Significant Penalty for Security-Destroying Superfish Debacle - ExtremeTech

Related Post

Comments are closed.