In 2014, Lenovo began selling its laptops bundled with a piece of software known as SuperFish, which enabled Lenovo to display more targeted advertising content to its users to “enhance [the] user experience” of its customers. While adware has become a commonly used tool in the marketing field, this particular program became a problem for Lenovo when it was discovered recently that SuperFish uses a technique similar to a common hacking practice (a “man in the middle attack”) to monitor users’ encrypted internet traffic and display ads based on such traffic. To make matters worse, the way SuperFish decrypts web traffic to display such ads is so unsecure that it leaves the door open for third parties to access the same information in exactly the same way that SuperFish does.
Lenovo’s cautionary tale highlights the needs for in-house counsel to take a greater role, not only in compliance issues related to data privacy, but in monitoring internal business practices for threats to security that may arise if the technology used by the business to achieve its goals is not properly vetted prior to implementation.
In this instance, there were numerous problems with the way SuperFish operated, including:
- Storing a private key (essentially a password to decrypt encrypted web traffic) on each Lenovo machine – information which is typically only stored on a secure server by the website or certificate authority encrypting the information.
- Failing to adequately protect the private keys on the laptops. Robert Graham, CEO of Errata Security, was able to extract the private key and crack the password associated with the private key using just the information available on the Lenovo laptop that he purchased.
- Using the same private key and password on all laptops, meaning that a third party could manufacture a false website that would fool any Lenovo user with the same SuperFish software into thinking it was visiting an encrypted, trusted website.
Any one of these issues should have been a red flag regarding the vulnerabilities in this technology. A robust information security policy that requires a detailed risk analysis prior to implementing any new technology can help expose these types of vulnerabilities. Ensuring that adequate due diligence is done at the outset can save your company money and minimize risks, both internal and external, from the use of new technologies.