​Lenovo nixes hard-coded password on pre-installed file-sharing app

Lenovo has been pulled up again for putting users’ data at risk, this time for using a hard-coded password “12345678” in its file-sharing app, SHAREit.

The hardware company on Monday released new versions of SHAREit for Windows and Android to fix four security flaws reported to it last October by researchers at Core Security.

Lenovo is the world’s largest PC maker and the company pre-installs SHAREIt on its popular Yoga series laptops and tablets, Think and IdeaPad notebooks, as well as Windows and Android tablets. Given this, the bugs are likely to affect millions of Lenovo users.

Lenovo debuted SHAREit in 2014 as a tool to make it easy for users share files, pictures, videos and documents between devices over wi-fi or Bluetooth. However, as Core Security details, Lenovo made a number of poor choices for protecting data and devices with the pre-installed app.

The hard-coded password issue is specific to the Windows version of SHAREit when the app is set up as a wifi hotspot on a Windows device. According to Core Security, anyone nearby with a network card that knew the app's static password — which happened to be “12345678” — could connect to the hotspot.

The Android SHAREit app contained a similar flaw that could have let anyone nearby capture information being transferred between two devices.

“When the application is configured to receive files, an open Wifi HotSpot is created without any password. An attacker could connect to that HotSpot and capture the information transferred between those devices,” the security company said.

Lenovo concurred with the description in its own advisory and rated the bugs as medium severity.

Core Security also found an attacker could remotely browse but not download files by performing an HTTP request to the web server launched by the vulnerable version of SHAREit for Windows.

Finally, Lenovo had configured the app on Windows and Android to transfer files via HTTP. That is, without encryption.

“An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files,” Core Security said of that bug.

According to Core Security's account of talks with Lenovo about the timing of disclosure, Lenovo initially considered the hard-coded password issue “fixed” when it removed it from “secure mode” but left in the “easy mode”.

"Secure mode" is a new option in the latest versions of SHAREit for Android and Windows, which Lenovo said in its advisory "resolves the first vulnerability [the static password] by allowing users to configure a unique password to share files between users, which will prevent unauthorized users from connecting to the SHAREit hotspot."

It added that this "mode also fixes the second vulnerability by encrypting the file transfer using AES-256 (using the unique password as a pre-shared key) on a PC to PC LAN transfer and through a hotspot WPA connection on transfers involving the Android version".

Lenovo urged customers to update version 3.2.0 and above for Windows, and version 3.5.48_ww and above for Android.

For Lenovo it’s the latest in a series of security flaws in pre-installed tools on its hardware, following its Superfish debacle early last year.

Security firm IOActive recently reported security bugs in Lenovo System Update, a tool pre-installed on Lenovo PCs that helps users keep drivers and BIOS up to date. SHAREit users on Windows can use that tool to update the file-sharing product, while Android users can get the patched version via Google Play.

Join the CSO newsletter!

Error: Please check your email address.

Tags ​LenovoSHAREit

More about GoogleLANLenovo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts