Lenovo settles lawsuits with 32 states over Superfish

From August 2014 to December 2014, Lenovo sold laptops that had Visual Discovery spyware pre-installed, as Naked Security’s Paul Ducklin discussed back in February 2015. Visual Discovery is software that’s developed by Superfish, which describes itself as a marketing company.

Visual Discovery compares images you see in your web browser to its massive cloud database of images. A compared image is then associated with a related image. For example, if I were looking at a picture of the North American cover of Hyperdimension Neptunia Re;Birth 2 for the PSVita, Visual Discovery could possibly link it to an image of the North American cover of Hyperdimension Neptunia Re;Birth 3. If I hadn’t already purchased that game, Superfish’s adware could remind me that the game exists. If, hypothetically, Neptunia publisher Idea Factory International were one of Superfish’s clients, Superfish would make some ad revenue from them.

If a Lenovo customer agreed to have Visual Discovery installed on their laptop for whatever reason, there would have been less of an ethical problem. But a lot of people who bought Lenovo laptops in the last quarter of 2014 were unaware that what amounted to spyware was pre-installed on their Windows OEM PCs.

It gets worse. Visual Discovery isn’t a web browser plugin. The Lenovo laptops in question were designed to send all web traffic to a Superfish proxy server regardless of which web browser the customer uses. Here’s where the major cybersecurity problem comes into play. Visual Discovery performed as a man in the middle for all HTTPS connections. Ducklin wrote:

Instead of treating your HTTPS traffic as sacrosanct, and leaving it alone so it remains end-to-end encrypted all the way from the server to your browser, Superfish uses keybridging, also known as Man in The Middle, or MiTM.

The Superfish MiTM works pretty much as the name suggests.

When your browser connects to, say, https://example.com/, the connection is handled directly by Visual Discovery.

Your encrypted connection actually terminates inside Superfish’s filter.

The filter then connects onwards to https://example.com/ and grabs the content on your behalf (that’s why this sort of software is called a “proxy”), using an HTTPS connection of its own.

Of course, that means the HTTPS replies from example.com actually terminate inside the filter, too, so your traffic is unencrypted, both outbound and inbound, with the result that Superfish can read it…

Your browser thinks it made an end-to-end encrypted connection, and in a sense it did, except that the other end of the connection was not the example.com server – it was the Superfish filter on your own computer.”

Also, Superfish’s spyware was configured in such a way that users would not be notified of a TLS (for HTTPS) certificate problem, because Superfish itself was signing certificates. That’s a clever – and dislikeable – MiTM attack.

Once this was discovered and widely discussed, users were urged to uninstall Visual Discovery via Programs and Features in Windows’ Control Panel. By early 2015, according to Lenovo, the company had ceased selling laptops with Superfish’s unwelcome additions.

Fast forward to now, September 2017, and Lenovo has settled a lawsuit from the US’s Federal Trade Commission, the state of Connecticut, and 31 other American states, for $3.5m. Said acting FTC chairman Maureen Ohlhausen:

Lenovo compromised consumers’ privacy when it preloaded software that could access consumers’ sensitive information without adequate notice or consent to its use. This conduct is even more serious because the software compromised online security protections that consumers rely on.

Lenovo said in response:

While Lenovo disagrees with allegations contained in these complaints, we are pleased to bring this matter to a close after two and a half years. To date, we are not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications.

Hopefully this sets a precedent within the PC manufacturing industry, as well as the mobile device manufacturing industry. Preloading adware that could compromise user security might look like a tempting way to make extra profit from PCs, which have notoriously slim profit margins. But compromising user security isn’t worth it.