CT Attorney General asks Lenovo about software that tracks web activity
HARTFORD – Attorney General George Jepsen announced his office has sent letters to executives at the computer technology company Lenovo and the software company Superfish about software on that could potentially expose them to hackers.
Jepsen said the Superfish software was intended to track users’ web use to place more ads on websites they visited. He said the software was on computers sold from September 2014 to January 2015 and it’s difficult to remove and leaves the computer vulnerable to hackers.
“It’s extremely concerning that, based on published reports, Lenovo installed this software – which appears to have no meaningful benefit to the consumer – on devices without the purchaser’s knowledge,” Jepsen said. “It is bad enough that the company sold consumers computers pre-loaded with software designed to track their browsing without alerting them. Even more alarming is that the software reportedly has a significant security vulnerability, putting computer users at risk of hacking. After consultation with technical experts, I have opened an investigation and asked both Lenovo and Superfish to provide information in order for me to determine if they have violated Connecticut’s laws prohibiting unfair and deceptive trade practices.”
The U.S. Department of Homeland Security said Lenovo personal computers with the software contain a critical vulnerability through a compromised root CA certificate. Jepsen’s statement said, “Exploitation of that vulnerability could allow a hacker to read all encrypted Web browser traffic, impersonate or spoof any Web site or perform other attacks on the affected user’s computer.”
Lenovo said they stopped preloading the Superfish software and is working on a way to remove the software and the certificate from computers.