"It's extremely concerning that, based on published reports, Lenovo installed this software -- which appears to have no meaningful benefit to the consumer -- on devices without the purchaser's knowledge," said Attorney General George Jepsen in a Monday statement. "After consultation with technical experts, I have opened an investigation and asked both Lenovo and Superfish to provide information in order for me to determine if they have violated Connecticut's laws prohibiting unfair and deceptive trade practices."
The Superfish Visual Discovery adware, which was pre-loaded onto Lenovo's consumer personal computers and 2-in-1 devices for four months at the end of the 2014, has been at the center of controversy since security experts revealed two weeks ago that the program circumvented encryption in order to inject sites with advertisements.
Superfish's poor design and a weak, easily-cracked password gave cybercriminals multiple ways to intercept and steal critical information, including passwords, from Lenovo's PCs.
Some security researchers have found clues that attackers have already exploited Superfish's vulnerabilities.
"It is bad enough that the company sold consumers computers pre-loaded with software designed to track their browsing without alerting them," Jepson said in the statement. "Even more alarming is that the software reportedly has a significant security vulnerability, putting computer users at risk of hacking."
On Friday, Lenovo said it would immediately begin reducing the amount of "crapware," one of several terms used to describe the often-unwanted pre-loaded software OEMs (original equipment manufacturers) place on their on PCs. Lenovo pledged to complete the process by the time Microsoft releases Windows 10 later this year.
Prior to the promise, Lenovo had initially dismissed the issue as no threat to customers' security and privacy, but quickly backtracked and released a cleansing tool that deleted the Superfish software and the rogue digital certificate installed on Lenovo-branded Windows PCs.
In letters (download PDF) mailed to executives at both Lenovo and Superfish last Friday, Jepson asked the companies to provide a wide range of information, including how many Superfish-equipped Lenovo PCs were sold in the U.S.; all agreements, contracts or financial arrangements between Lenovo and Superfish, and between Superfish and Komodia, the Israeli company that makes the encryption-busting software the former used; what testing was done on Superfish before it was installed on Lenovo's devices; and the "remedial measures" each firm took since the discovery of security holes.
"Along with the responses, please provide us with copies of any documents, including email correspondence, identified in your responses and any other documents that support the responses," the letters demanded. Lenovo and Superfish have until March 22 to comply.
Neither company immediately replied to a request for comment.
Lenovo and Superfish are also facing four federal lawsuits filed between Feb. 19 and Feb. 24. Each lawsuit has requested class-action status so that others could join the cases.