A security expert’s discovery last month that certain Lenovo laptop computers were shipped with well-concealed malware giving hackers easy access to users’ most confidential information has led Weitz & Luxenberg P.C. to announce an investigation into potential legal claims against the hardware manufacturer and against the malware vendor, Superfish, the law firm today disclosed.
W&L plans to talk to as many Lenovo users as possible about their legal rights to compensation from both Lenovo and Superfish.
Users of certain Lenovo laptops sold in the last five months could be harmed by the malware — a commercial product called VisualDiscovery — via “man-in-the-middle” attacks.
In such an attack, a hacker lurking on the Lenovo user’s Wi-Fi network hijacks the laptop’s internet browser to steal bank credentials, passwords and any other valuable data that might be stored on the laptop, the firm explained.
Hackers could also potentially use the laptop’s own security key to certify imposter HTTPS websites — a practice known as “spoofing” — that masquerade as Bank of America, Google or any other secure destination on the Internet, W&L warned.
Superfish Creates Lenovo Super-Vulnerability
According to a report in The New York Times published this week, Superfish’s VisualDiscovery software could enable hackers to monitor and exploit everything a Lenovo user does while online.
“The tragedy is that Lenovo users have been led to believe the data they’re storing on their laptops are safe and secure, when those data are anything but safe and secure,” said Robin L. Greenwald, who heads W&L’s Environmental, Toxic Tort & Consumer Protection Unit.
Security experts who have looked into this situation contend that only by fully wiping out the memory of a vulnerable Lenovo laptop and then installing a non-Lenovo version of Windows can a user be assured of closing the security hole created by the Superfish VisualDiscovery software.
Some computer experts said taking such a step may expose users to still more harm since fully erasing a computer’s factory-installed memory and replacing it opens the door to potentially unforeseen performance glitches.
In the worst cases, these glitches can destabilize a system to the point that the user can no longer rely on it and may need to replace the entire machine, experts caution.
Slate Magazine called Lenovo’s decision to pre-install the Superfish software a betrayal of its customers. Slate quoted one expert as saying he “cannot overstate how evil [Lenovo’s action] is.”
W&L points to other computer experts as saying that when Lenovo added the Superfish product it knew a significant security hole would be created, making the laptops easy prey for hackers.
Nine Lenovo Laptop Models Affected
Affected are Lenovo G, U, Y, Z, S, Flex, MIIX, YOGA, and E series laptops sold between last September and this month, according to news reports.
Lenovo, the news reports continue, admits to having shipped those models with the Superfish product installed.
Slate asserts that Lenovo should have known about the problem as early as Jan. 21 when a user who discovered the vulnerability reported it to a Lenovo forum.
Greenwald said Lenovo since that time has failed to take appropriate steps to eliminate the problem.
W&L said harmed Lenovo users may be able to pursue legal action by claiming the consumer protections offered through various federal and state statutes, plus civil law.
“Consumers who have been harmed have a right to be fully compensated for their injuries,” said Greenwald. “We intend to help see that justice is done for them.”