The biggest PC maker on the planet is under fire for allegedly exposing its customers to a security threat that could compromise users’ most private information.
Beijing-based Lenovo is accused of pre-injecting potentially millions of its laptops with a sneaky software called Superfish, without telling its customers.
Superfish works by constantly watching while you browse online, tracking your habits, and then spitting out customized ads onto your browser. In the process, it creates an alleged giant security hole, and an open invitation for thieves.
"It's opened a conduit that other hackers can then exploit,” explains Northwestern law professor Jim Speta. “They can read my account numbers, they can read my credit card information."
Speta says not only is your most private information there for the taking, but the software also violates consumers’ privacy.
"I don't think consumers had any idea that the software was there and what it might expose them to," Speta said.
The danger to consumers: a technique well-known to hackers called “man-in-the-middle attack.” Superfish sits in the middle of internet traffic and secretly intercepts and reads private information.
At the same time, it gives cyber thieves access to that info, including passwords, accounts and social security numbers. Even worse, experts say, consumers have no idea it’s happening because the security lock on the browser still appears locked even though the session is actually no longer secure.
Something Branden Hayden says he’s all too familiar with. The Chicago man says he was a victim of Lenovo and Superfish. His problems started after a repair.
"I started to notice ads and pop ups," Hayden recalled.
A software engineer by trade, Hayden asked Lenovo to send him parts so he could repair his computer himself. Hayden says the parts Lenovo sent were pre-loaded with Superfish.
“When I called Lenovo and I said "Lenovo what's this all about? Why is all this happening? Lenovo said oh don't worry, it's not a problem," Hayden explained. "And they told me it was my imagination or I'm just an ignorant consumer and I don't know what I'm talking about."
Hayden is one of many consumers now going after Lenovo and Superfish in lawsuits filed across the country, alleging Lenovo made a deal with Superfish to pre-load the spyware into 52 separate types of laptops shipped to retailers between August 2014 to February 2015, without telling consumers.
"That's an intentional wrong doing,” claimed Chicago attorney Clint Krislov. “This is like being wire tapped."
Krislov says the software is buried so deep in the computer it’s virtually impossible to detect.
"There is a battle going on to get to what they call bare metal, which is to install something so low that no one can detect it," Krislov said.
A threat so dangerous the Department of Homeland Security issued an alert in February urging users to uninstall the adware right away.
Lenovo admits it pre-installed Superfish on some notebooks, and apologized for causing any concern. The computer giant says the software is no longer active on its products, and has provided its customers with tools to uninstall the software.
Connecticut’s Attorney General has launched an investigation into Lenovo as a result of the Superfish scandal. State authorities in North Carolina say they’re monitoring the situation.
Superfish has not responded to our repeated requests for comment.
Last week, Lenovo landed back in the headlines for yet another security breach in its computers. A report from a California security firm revealed major vulnerabilities that would allow hackers to replace legitimate software with malware and remotely control it without detection.