Connecticut Attorney General George Jepsen is looking into Lenovo and the software company Superfish amid concerns that some personal computers come pre-installed with software that could potentially expose them to hackers.
Jepsen sent letters to executives at Lenovo Group Ltd. and Superfish, asking for information about software that tracks users' web searching and browsing activity to place ads on the sites they visit.
According to published reports, Superfish Visual Discovery is in the operating system of certain Lenovo personal computers sold from about September 2014 to January 2015, making it difficult for common antivirus products to detect or remove it. Many people don’t know it exists on their personal computer, Jepsen said, but yet the software allegedly facilitates the ability of hackers to access a user's computer.
"It's extremely concerning that, based on published reports, Lenovo installed this software – which appears to have no meaningful benefit to the consumer – on devices without the purchaser's knowledge," Jepsen said in a statement. "It is bad enough that the company sold consumers computers pre-loaded with software designed to track their browsing without alerting them. Even more alarming is that the software reportedly has a significant security vulnerability, putting computer users at risk of hacking. After consultation with technical experts, I have opened an investigation and asked both Lenovo and Superfish to provide information in order for me to determine if they have violated Connecticut's laws prohibiting unfair and deceptive trade practices."
According to the U.S. Department of Homeland Security, Lenovo personal computers with the pre-installed software contain “a critical vulnerability” through a compromised root CA certificate.
Lenovo has indicated in public reports that it has stopped preloading the Superfish software on its devices and has created a fix to purge the software and the certificate from computer systems.
"While I'm pleased that Lenovo has taken steps to remedy this problem, the fact remains that it intentionally sold an as yet unknown number of Connecticut consumers computers loaded with software to track their Web activity without telling them and, in the process, endangered their personal information," said Attorney General Jepsen.
Local
Assistant Attorneys General Jonathan Blake and Matthew Fitzsimmons, chair of the Attorney General's Privacy Task Force, are assisting Jepsen.
