Lenovo CTO to create “concrete" Superfish attack plan

The device maker wants to take advice from its harshest critics and security experts to repair damage

The CTO of Lenovo has pledged to create a "concrete plan" to regain customer trust following the Superfish incident that risked hundreds of customers' personal details.

Peter Hortensius wants to work with the company's "harshest critics" as well as security experts and end users to create a better preload strategy for Lenovo devices, after its notebooks were shipped with adware that exposed customers to hackers.

The Superfish adware used a self-signed security certificate to impersonate SSL-enabled websites.

This replaced the usual security certificate presented by SSL-enabled websites to a computer, and would allow hackers to monitor users' every action online, including bank and email activity.

While Lenovo has sworn it has not used the preloaded software to monitor or profile users, it has left users open to malicious man-in-the-middle attacks.

Normally every installation of fake certificates generates a unique password, but Superfish used the same password for all installations, meaning any hacker with a Lenovo device could figure out the password and hack other users.

The move has embroiled Lenovo in an impending class action lawsuit from angry customers, and Hortensius responded yesterday with an open letter outlining Lenovo's measures to address the issue.

He wrote:  "I want to start the process of keeping you up to date on how we are working to fix the problem and restore your faith in Lenovo.

"We are in the midst of developing a concrete plan to address software vulnerabilities and security with defined actions that we will share by the end of the week."

That plan could see Lenovo soliciting the opinions "of even our harshest critics" to evaluate products going forward, as well as rethinking its preload strategy, he said.

Indeed, Hortensius confirmed in an interview with Gizmodo that despite an ongoing deal with Superfish, its software would not be loaded onto any more Lenovo devices.

The CTO added in the open letter: "We are determined to make this situation better, deliver safer and more secure products and help our industry address and prevent - the kind of vulnerabilities that were exposed in the last week."

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
NSA releases guidance on voice and video communications security
Voice over Internet Protocol (VoIP)

NSA releases guidance on voice and video communications security

18 Jun 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
Q&A: Enabling transformation
Sponsored

Q&A: Enabling transformation

10 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021