Lenovo and adware maker Superfish came under more legal fire yesterday as two new lawsuits were filed in California federal courts taking the firms to task for putting consumers at risk of hacker spying and information theft.
The two complaints -- the second and third since the China-based computer OEM (original equipment manufacturer) admitted it had pre-loaded adware on its consumer PCs in the second half of 2014 -- named both Lenovo and Superfish, and each lawsuit requested class-action status so that others could join the case.
Last week's first lawsuit covered much of the same ground as the two lodged Monday.
David Hunter of North Carolina, the plaintiff in one of the lawsuits, alleged that Lenovo and Superfish violated the U.S. Electronic Communications Privacy Act and other laws, and asked that the court force the firms to surrender any revenue generated by the sale of consumers' browsing data and monies earned from the advertising produced by the adware.
Hunter said he bought a Lenovo Y50 laptop -- one of dozens of models Lenovo said it had pre-installed Superfish on from September through December 2014 -- via the OEM's website in October.
In the second complaint, filed by Sterling International Consulting Group (SICG) of Statesville, NC, Lenovo and Superfish were charged with breaking the U.S. Wiretapping Act, state and federal anti-fraud regulations and other laws.
Of the two new complaints, Hunter's was the more interesting as it relied not only on press reports about Superfish's vulnerability and Lenovo's actions both before and after last week's explosion of information, but also dug a bit deeper and offered insights into the adware's operation.
The complaint drew a line between Superfish and Komodia, the Israeli company whose technology the former used in its Visual Discovery adware to circumvent browser-to-server encryption, and whose self-signed certificate's password was easily cracked last week.
Hunter's lawyers brought up Komodia Redirector, Komodia's flagship product that the firm boasts "intercepts traffic on the local machine based on rules that you [the developer] define."
"Defendants' local proxy is their version of a product sold by non-party Komodia, which is marketed as a 'redirector product' ('Komodia Redirector')," stated Hunter's complaint. "The Komodia Redirector lets defendants 'redirect traffic' away from the user's intended recipient and 'to the proxy service. When a connection is made' by the user, the Komodia Redirector determines whether a specific communication 'should be intercepted' and then intercepts and reroutes the communications to the local proxy."
Security researcher Marc Rogers of CloudFlare, one of several experts who has investigated Lenovo's use of Superfish and the latter's behavior, called out the Komodia-made proxy for not properly implementing SSL (secure socket layer) -- the Web's encryption standard -- leaving PCs with the software open to tampering or eavesdropping, even if the certificate hadn't been junk.
"In one move, this software trashes the last decade of browser security and privacy work, and the last five years of SSL cipher management," Rogers argued in a Feb. 19 post to his personal blog.
Lenovo today declined to respond to the new lawsuits, with its head of corporate communications, Brion Tingler, saying, "We do not comment on pending legal matters," in an email.
Superfish also declined comment on the lawsuits' specifics, like Lenovo citing the pending litigation. But in a statement, company CEO Adi Pinhas said, "Superfish takes these matters seriously and is reviewing the allegations in the complaints."