[infogulch]

I want to emphasize how bad the TLS MITM malware was (adware is too nice a term): they installed a TLS MITM attack by adding the same CA public key to the trust store of every non-business device they sold, and proxied the internet traffic through an on-device proxy that contained the private key to that CA. Yes you read that right: every device with this malware had the public and private key used to decrypt the TLS traffic of every other device with this malware, effectively exposing every user to have all of their traffic not only decrypted, but also MITM'd again. Not only was it malicious, it was incompetent too.

I don't consider this a technical failure, it's a business failure. One of two options remains: either nobody in Lenovo reviewed this software from a privacy and security perspective, or they did review it and the business deal overruled the security team's ability to veto it. Either way, this indicates an organizational dysfunction so severe there's no way I can trust Lenovo with my personal or business security again.