FTC & State AG

Practical Takeaways from the FTC-Lenovo “Superfish” Settlement

Published: Sep. 26, 2017

Updated: Oct. 05, 2020

The FTC announced a settlement with Lenovo over the company’s widely-reported practice of pre-installing its laptops with ad-injecting software designed by the developer Superfish. The settlement highlights several common security pitfalls that companies should watch out for to avoid unwanted regulatory and media attention.

In its complaint, the FTC alleges the Superfish software used image-recognition technology to find and replace ads served on Lenovo customers as they browsed online shopping websites. In order to capture the content of these browsing sessions, which are often HTTPS-secured, Superfish relied on “man-in-the-middle” software. This software replaced webpages’ standard security certificates—website validation tools that are cryptographically signed by trusted third parties—with Lenovo’s own certificates, which were generated on the fly using an added “root” certificate that came pre-installed on each Lenovo computer. Moreover, the private key used to generate these replacement certificates used the easily-guessed password “komodia,” the name of the vendor that supplied Superfish with its man-in-the-middle software. With knowledge of this password, hackers could exploit the Superfish software to defeat HTTPS’s encryption and authentication features for any Lenovo customer. The resulting vulnerabilities, in tandem with Lenovo’s failure to disclose the software’s presence to its customers, earned it charges under both the “deceptive” and “unfairness” prongs of the FTC’s Section 5 authority.

Lessons for Businesses

Three important lessons can be drawn from the Lenovo settlement to help companies steer clear of future FTC action. First, companies should tread carefully when distributing programs that employ man-in-the-middle software. Though there are legitimate uses for such products—for example, enterprise security software such as network data loss prevention tools—any business that makes use of such software should take a close look to ensure that the software is both clearly disclosed and designed with security risks in mind.  Superfish’s software, for example, did not first validate web certificates before replacing them, defeating the authentication normally provided by HTTPS. In Lenovo’s case, the FTC’s scrutiny has resulted in a 20-year consent decree and additional requirements.

Second, it is critical that businesses adopt best practices when it comes to key management. Two perennially relevant pieces of advice are worth repeating here: 1) don’t use easy to guess passwords (in any context, but in this case when generating private keys), and 2) don’t reuse passwords across accounts/keys. This applies to businesses and individuals, and is especially important if your software interacts with common security protocols like HTTPS. According to the FTC, Lenovo could have avoided the most damaging vulnerabilities if it had followed these simple rules; instead, its reuse of the easily guessable “komodia” to unlock all of the private keys across all its root certificates on user PCs led to an enforcement action. Companies interested in reviewing their password policies can look to the recently-updated NIST guidelines as a helpful starting point.

Third, extend the same caution you use in setting internal information security policies to software vendors and other third parties. The FTC emphasized this point in a recent entry in its “Stick with Security” series, reminding businesses to perform adequate security due diligence on prospective vendors, include specific security requirements in vendor services agreements, and periodically verify compliance by the vendor with applicable security requirements. The Lenovo settlement, which centered entirely on software designed by a third party software vendor, only underscores this point further.