Lenovo CTO to create “concrete" Superfish attack plan

The CTO of Lenovo has pledged to create a "concrete plan" to regain customer trust following the Superfish incident that risked hundreds of customers' personal details.

Peter Hortensius wants to work with the company's "harshest critics" as well as security experts and end users to create a better preload strategy for Lenovo devices, after its notebooks were shipped with adware that exposed customers to hackers.

The Superfish adware used a self-signed security certificate to impersonate SSL-enabled websites.

This replaced the usual security certificate presented by SSL-enabled websites to a computer, and would allow hackers to monitor users' every action online, including bank and email activity.

While Lenovo has sworn it has not used the preloaded software to monitor or profile users, it has left users open to malicious man-in-the-middle attacks.

Normally every installation of fake certificates generates a unique password, but Superfish used the same password for all installations, meaning any hacker with a Lenovo device could figure out the password and hack other users.

The move has embroiled Lenovo in an impending class action lawsuit from angry customers, and Hortensius responded yesterday with an open letter outlining Lenovo's measures to address the issue.

He wrote: "I want to start the process of keeping you up to date on how we are working to fix the problem and restore your faith in Lenovo.

"We are in the midst of developing a concrete plan to address software vulnerabilities and security with defined actions that we will share by the end of the week."

That plan could see Lenovo soliciting the opinions "of even our harshest critics" to evaluate products going forward, as well as rethinking its preload strategy, he said.

Indeed, Hortensius confirmed in an interview with Gizmodo that despite an ongoing deal with Superfish, its software would not be loaded onto any more Lenovo devices.

The CTO added in the open letter: "We are determined to make this situation better, deliver safer and more secure products and help our industry address and prevent - the kind of vulnerabilities that were exposed in the last week."