AG Jepsen Opens Inquiry into Lenovo,
Superfish Privacy and Security Concerns
Asks both companies to provide information about pre-installed software
Attorney General George Jepsen has sent letters to executives at the computer technology company Lenovo Group Ltd. and the software company Superfish seeking information about software pre-installed on Lenovo personal computers and sold to consumers that could potentially expose them to hackers. The Superfish software was intended to track users' Web searching and browsing activity in order to place additional ads on the sites they visit.
According to published reports, the Superfish software – Superfish Visual Discovery – resides in the operating system of certain Lenovo personal computers sold from about September 2014 to January 2015, making it difficult for common antivirus products to detect or remove it. Many consumers do not know it exists on their personal computer, yet the software allegedly facilitates the ability of hackers to access a user's computer.
"It's extremely concerning that, based on published reports, Lenovo installed this software – which appears to have no meaningful benefit to the consumer – on devices without the purchaser's knowledge," Attorney General Jepsen said. "It is bad enough that the company sold consumers computers pre-loaded with software designed to track their browsing without alerting them. Even more alarming is that the software reportedly has a significant security vulnerability, putting computer users at risk of hacking. After consultation with technical experts, I have opened an investigation and asked both Lenovo and Superfish to provide information in order for me to determine if they have violated Connecticut's laws prohibiting unfair and deceptive trade practices."
According to the U.S. Department of Homeland Security, Lenovo personal computers employing the pre-installed software contain a critical vulnerability through a compromised root CA certificate. Exploitation of that vulnerability could allow a hacker to read all encrypted Web browser traffic, impersonate or spoof any Web site or perform other attacks on the affected user's computer.
Lenovo has indicated in public reports that it has stopped preloading the Superfish software on its devices and has created a fix to purge the software and the certificate from computer systems.
"While I'm pleased that Lenovo has taken steps to remedy this problem, the fact remains that it intentionally sold an as yet unknown number of Connecticut consumers computers loaded with software to track their Web activity without telling them and, in the process, endangered their personal information," said Attorney General Jepsen.
Assistant Attorneys General Jonathan Blake and Matthew Fitzsimmons, chair of the Attorney General's Privacy Task Force, are assisting the Attorney General with this matter.