Conn. AG launches Lenovo-Superfish 'crapware' probe

Connecticut's state attorney general today announced a probe into Lenovo's practice of bundling adware on consumer PCs.

Three days after Chinese computer maker Lenovo promised to flush "crapware" from its consumer PCs, Connecticut's state attorney general announced a probe into the company's practice of bundling adware.

"It's extremely concerning that, based on published reports, Lenovo installed this software -- which appears to have no meaningful benefit to the consumer -- on devices without the purchaser's knowledge," said Attorney General George Jepsen in a Monday statement. "After consultation with technical experts, I have opened an investigation and asked both Lenovo and Superfish to provide information in order for me to determine if they have violated Connecticut's laws prohibiting unfair and deceptive trade practices."

The Superfish Visual Discovery adware, which was pre-loaded onto Lenovo's consumer personal computers and 2-in-1 devices for four months at the end of the 2014, has been at the center of controversy since security experts revealed two weeks ago that the program circumvented encryption in order to inject sites with advertisements.

Superfish's poor design and a weak, easily-cracked password gave cybercriminals multiple ways to intercept and steal critical information, including passwords, from Lenovo's PCs.

Some security researchers have found clues that attackers have already exploited Superfish's vulnerabilities.

"It is bad enough that the company sold consumers computers pre-loaded with software designed to track their browsing without alerting them," Jepson said in the statement. "Even more alarming is that the software reportedly has a significant security vulnerability, putting computer users at risk of hacking."

On Friday, Lenovo said it would immediately begin reducing the amount of "crapware," one of several terms used to describe the often-unwanted pre-loaded software OEMs (original equipment manufacturers) place on their on PCs. Lenovo pledged to complete the process by the time Microsoft releases Windows 10 later this year.

Prior to the promise, Lenovo had initially dismissed the issue as no threat to customers' security and privacy, but quickly backtracked and released a cleansing tool that deleted the Superfish software and the rogue digital certificate installed on Lenovo-branded Windows PCs.

In letters (download PDF) mailed to executives at both Lenovo and Superfish last Friday, Jepson asked the companies to provide a wide range of information, including how many Superfish-equipped Lenovo PCs were sold in the U.S.; all agreements, contracts or financial arrangements between Lenovo and Superfish, and between Superfish and Komodia, the Israeli company that makes the encryption-busting software the former used; what testing was done on Superfish before it was installed on Lenovo's devices; and the "remedial measures" each firm took since the discovery of security holes.

"Along with the responses, please provide us with copies of any documents, including email correspondence, identified in your responses and any other documents that support the responses," the letters demanded. Lenovo and Superfish have until March 22 to comply.

Neither company immediately replied to a request for comment.

Lenovo and Superfish are also facing four federal lawsuits filed between Feb. 19 and Feb. 24. Each lawsuit has requested class-action status so that others could join the cases.

Join the CSO newsletter!

Error: Please check your email address.

Tags Malware & VulnerabilitiesantispamsecurityLenovothree

More about LenovoMicrosoftQ

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts