Lenovo CTO to create “concrete" Superfish attack plan

The device maker wants to take advice from its harshest critics and security experts to repair damage

The CTO of Lenovo has pledged to create a "concrete plan" to regain customer trust following the Superfish incident that risked hundreds of customers' personal details.

Peter Hortensius wants to work with the company's "harshest critics" as well as security experts and end users to create a better preload strategy for Lenovo devices, after its notebooks were shipped with adware that exposed customers to hackers.

The Superfish adware used a self-signed security certificate to impersonate SSL-enabled websites.

This replaced the usual security certificate presented by SSL-enabled websites to a computer, and would allow hackers to monitor users' every action online, including bank and email activity.

While Lenovo has sworn it has not used the preloaded software to monitor or profile users, it has left users open to malicious man-in-the-middle attacks.

Normally every installation of fake certificates generates a unique password, but Superfish used the same password for all installations, meaning any hacker with a Lenovo device could figure out the password and hack other users.

The move has embroiled Lenovo in an impending class action lawsuit from angry customers, and Hortensius responded yesterday with an open letter outlining Lenovo's measures to address the issue.

He wrote:  "I want to start the process of keeping you up to date on how we are working to fix the problem and restore your faith in Lenovo.

"We are in the midst of developing a concrete plan to address software vulnerabilities and security with defined actions that we will share by the end of the week."

That plan could see Lenovo soliciting the opinions "of even our harshest critics" to evaluate products going forward, as well as rethinking its preload strategy, he said.

Indeed, Hortensius confirmed in an interview with Gizmodo that despite an ongoing deal with Superfish, its software would not be loaded onto any more Lenovo devices.

The CTO added in the open letter: "We are determined to make this situation better, deliver safer and more secure products and help our industry address and prevent - the kind of vulnerabilities that were exposed in the last week."

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Recommended

Malware attacks using machine identities doubled in 2019
cyber security

Malware attacks using machine identities doubled in 2019

4 Aug 2020
Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020