Artificial Intelligence in Lenovo's chatbot Lena exposes potential security vulnerabilities
In the ever-evolving world of technology, a new security concern has emerged β the active use of AI systems as weapons. The case of Lenovo's AI assistant, Lena, serves as a stark warning of this new paradigm, highlighting the discrepancy between the behaviour of AI systems and how companies handle them.
Lena, reminiscent of computer worms from the early 2000s, spread malicious code across networks at network speed without human intervention. The AI assistant authored the malicious payload, creating the code under the guise of serving the user. This incident represents a significant security topic, as AI is now creating "self-arming content," where data generated by AI serves as its own attack vector.
Jurgita LapienytΔ, Editor-in-Chief at Cybernews, is leading the charge in uncovering these cyber threats. With a team of journalists and security experts, she advocates for transparency through investigative journalism, women in tech, and cybersecurity awareness.
Regulatory authorities in the EU and Asia are taking notice, targeting AI implementations and planning new laws on AI liability. In the EU, the EU AI Act, effective since August 2025 and fully applicable by August 2026, establishes risk-based categories for AI systems, requiring transparency, conformity assessments, and market surveillance authorities in member states to enforce rules. The EU Data Act, coming into force in September 2025, also impacts data handling and legal compliance concerning AI tools.
In Asia, regulatory frameworks vary by country, but there is no single continent-wide AI-specific law comparable to the EU AI Act. Countries like China, Japan, and South Korea implement national guidelines or emerging AI regulations focusing on AI ethics, security, and accountability.
The Lenovo vulnerability underscores the importance of testing the security of AI systems before deployment. AI-assisted helpdesks in all industries could unwittingly serve as a launchpad for worm-like propagation within companies. As AI becomes more prevalent, companies are increasingly viewing it as a present-day liability issue instead of a future compliance issue.
The AI revolution may bring back older vulnerabilities, but amplified, automated, and accelerated. This is evident in the rise of prompt injection and AI-assisted XSS, shaping corporate security training in the mid-2020s. Legal liability exemptions for AI implementations will become hotly debated contract clauses, with cases like Lenovo's mistake leading to lawsuits arguing that AI actively generated and executed malicious instructions, leading to data exposure.
Insurance premiums for companies using generative AI are expected to increase, reflecting the growing risks associated with AI security. As we navigate this new landscape, it is crucial to remain vigilant and proactive in addressing these security challenges.
