Lenovo CTO to create “concrete" Superfish attack plan
The device maker wants to take advice from its harshest critics and security experts to repair damage
The CTO of Lenovo has pledged to create a "concrete plan" to regain customer trust following the Superfish incident that risked hundreds of customers' personal details.
Peter Hortensius wants to work with the company's "harshest critics" as well as security experts and end users to create a better preload strategy for Lenovo devices, after its notebooks were shipped with adware that exposed customers to hackers.
The Superfish adware used a self-signed security certificate to impersonate SSL-enabled websites.
This replaced the usual security certificate presented by SSL-enabled websites to a computer, and would allow hackers to monitor users' every action online, including bank and email activity.
While Lenovo has sworn it has not used the preloaded software to monitor or profile users, it has left users open to malicious man-in-the-middle attacks.
Normally every installation of fake certificates generates a unique password, but Superfish used the same password for all installations, meaning any hacker with a Lenovo device could figure out the password and hack other users.
The move has embroiled Lenovo in an impending class action lawsuit from angry customers, and Hortensius responded yesterday with an open letter outlining Lenovo's measures to address the issue.
He wrote: "I want to start the process of keeping you up to date on how we are working to fix the problem and restore your faith in Lenovo.
"We are in the midst of developing a concrete plan to address software vulnerabilities and security with defined actions that we will share by the end of the week."
That plan could see Lenovo soliciting the opinions "of even our harshest critics" to evaluate products going forward, as well as rethinking its preload strategy, he said.
Indeed, Hortensius confirmed in an interview with Gizmodo that despite an ongoing deal with Superfish, its software would not be loaded onto any more Lenovo devices.
The CTO added in the open letter: "We are determined to make this situation better, deliver safer and more secure products and help our industry address and prevent - the kind of vulnerabilities that were exposed in the last week."
How to choose an AI vendor
Five key things to look for in an AI vendorDownload now
The UK 2020 Databerg report
Cloud adoption trends in the UK and recommendations for cloud migrationDownload now
2021 state of email security report: Ransomware on the rise
Securing the enterprise in the COVID worldDownload now
The impact of AWS in the UK
How AWS is powering Britain's fastest-growing companiesDownload now