After two and a half years of legal discussion, the US Federal Trade Commission has fined Lenovo US$3.5 million for pre-loading adware into its PCs between September 2014 and January 2015.
The adware reportedly came pre-installed on about 750,000 devices.
As part of the ruling, the company will be forced to declare the pre-loaded software to its customers and receive the user’s permission. Lenovo will also be subject to audited security checks for a 20 year period.
The adware has been deemed particularly dangerous, as the software leaves users’ PCs wide open to malicious attacks.
The adware has been titled the “Superfish” bug. The name, Superfish, derives from the company who developed the VisualDiscovery software which Lenovo packaged with its PCS.
The Superfish bug injected ads, on behalf of retail partners, into the PC user’s web browsing.
The danger of the software is not just because it provides access to users’ private information, but also that it had root certificate access, meaning hackers could effortlessly forge the certificate and view encrypted communication which took place on the same network.
Users can click here if they believe their PC could be running the software, to go through a dedicated removal process.
Lenovo’s press release does not include an explicit admission of wrongdoing, rather stating it disagrees with allegations contained in these complaints” but it is “pleased to bring this matter to a close after 2-1/2 years”. The company also states it stopped using Superfish long ago, whilst adding it is “not aware of any actual instances of a third party exploiting the vulnerabilities to gain access to a user’s communications”.
