Lenovo has been pulled up again for putting users’ data at risk, this time for using a hard-coded password “12345678” in its file-sharing app, SHAREit.
The hardware company on Monday released new versions of SHAREit for Windows and Android to fix four security flaws reported to it last October by researchers at Core Security.
Lenovo is the world’s largest PC maker and the company pre-installs SHAREIt on its popular Yoga series laptops and tablets, Think and IdeaPad notebooks, as well as Windows and Android tablets. Given this, the bugs are likely to affect millions of Lenovo users.
Lenovo debuted SHAREit in 2014 as a tool to make it easy for users share files, pictures, videos and documents between devices over wi-fi or Bluetooth. However, as Core Security details, Lenovo made a number of poor choices for protecting data and devices with the pre-installed app.
The hard-coded password issue is specific to the Windows version of SHAREit when the app is set up as a wifi hotspot on a Windows device. According to Core Security, anyone nearby with a network card that knew the app's static password — which happened to be “12345678” — could connect to the hotspot.
The Android SHAREit app contained a similar flaw that could have let anyone nearby capture information being transferred between two devices.
“When the application is configured to receive files, an open Wifi HotSpot is created without any password. An attacker could connect to that HotSpot and capture the information transferred between those devices,” the security company said.
Lenovo concurred with the description in its own advisory and rated the bugs as medium severity.
Core Security also found an attacker could remotely browse but not download files by performing an HTTP request to the web server launched by the vulnerable version of SHAREit for Windows.
Finally, Lenovo had configured the app on Windows and Android to transfer files via HTTP. That is, without encryption.
“An attacker that is able to sniff the network traffic could to view the data transferred or perform man in the middle attacks, for example by modifying the content of the transferred files,” Core Security said of that bug.
According to Core Security's account of talks with Lenovo about the timing of disclosure, Lenovo initially considered the hard-coded password issue “fixed” when it removed it from “secure mode” but left in the “easy mode”.
"Secure mode" is a new option in the latest versions of SHAREit for Android and Windows, which Lenovo said in its advisory "resolves the first vulnerability [the static password] by allowing users to configure a unique password to share files between users, which will prevent unauthorized users from connecting to the SHAREit hotspot."
It added that this "mode also fixes the second vulnerability by encrypting the file transfer using AES-256 (using the unique password as a pre-shared key) on a PC to PC LAN transfer and through a hotspot WPA connection on transfers involving the Android version".
Lenovo urged customers to update version 3.2.0 and above for Windows, and version 3.5.48_ww and above for Android.
For Lenovo it’s the latest in a series of security flaws in pre-installed tools on its hardware, following its Superfish debacle early last year.
Security firm IOActive recently reported security bugs in Lenovo System Update, a tool pre-installed on Lenovo PCs that helps users keep drivers and BIOS up to date. SHAREit users on Windows can use that tool to update the file-sharing product, while Android users can get the patched version via Google Play.