Lenovo CTO to create “concrete" Superfish attack plan
The device maker wants to take advice from its harshest critics and security experts to repair damage
The CTO of Lenovo has pledged to create a "concrete plan" to regain customer trust following the Superfish incident that risked hundreds of customers' personal details.
Peter Hortensius wants to work with the company's "harshest critics" as well as security experts and end users to create a better preload strategy for Lenovo devices, after its notebooks were shipped with adware that exposed customers to hackers.
The Superfish adware used a self-signed security certificate to impersonate SSL-enabled websites.
This replaced the usual security certificate presented by SSL-enabled websites to a computer, and would allow hackers to monitor users' every action online, including bank and email activity.
While Lenovo has sworn it has not used the preloaded software to monitor or profile users, it has left users open to malicious man-in-the-middle attacks.
Normally every installation of fake certificates generates a unique password, but Superfish used the same password for all installations, meaning any hacker with a Lenovo device could figure out the password and hack other users.
The move has embroiled Lenovo in an impending class action lawsuit from angry customers, and Hortensius responded yesterday with an open letter outlining Lenovo's measures to address the issue.
He wrote: "I want to start the process of keeping you up to date on how we are working to fix the problem and restore your faith in Lenovo.
"We are in the midst of developing a concrete plan to address software vulnerabilities and security with defined actions that we will share by the end of the week."
That plan could see Lenovo soliciting the opinions "of even our harshest critics" to evaluate products going forward, as well as rethinking its preload strategy, he said.
Indeed, Hortensius confirmed in an interview with Gizmodo that despite an ongoing deal with Superfish, its software would not be loaded onto any more Lenovo devices.
The CTO added in the open letter: "We are determined to make this situation better, deliver safer and more secure products and help our industry address and prevent - the kind of vulnerabilities that were exposed in the last week."
Key considerations for implementing secure telework at scale
Identifying the security risks and advanced requirements of a remote workforceDownload now
The State of Salesforce 2020
Your guide to getting the most from SalesforceDownload now
Fast, flexible and compliant e-signatures for global businesses
Be at the forefront of digital transformation with electronic signaturesDownload now
Rethink your cybersecurity strategy for the new world
5 steps to secure the enterprise and be fit for a flexible futureDownload now