Lenovo uses really bad passwords
Lenovo has fixed vulnerabilities in ShareIT that it created by using the sort of password that a dog would use.
This is woeful, head-in-the-hands stuff and follows a recent publication of the most rubbish passwords out there. A password that Lenovo was using as a default is third on the list. It is ‘12345678’, which is marginally worse than ‘Password’ but still equally loathsome as far as choices go.
Core Security points the finger at Lenovo in a security advisory. ShareIT is not a favourite of Core Security’s, and it picked a good few vulnerabilities out of the software, each of which could be used for some nefarious purpose.
A seemingly simple problem was probably the worst, and made Lenovo look like a ruddy idiot. This is a hard coded password in Lenovo ShareIT for Windows that leaves WiFi open to exploitation.
“When Lenovo ShareIT for Windows is configured to receive files, a WiFi hotspot is set with an easy password (12345678). Any system with a WiFi network card could connect to that hotspot by using that password. The password is always the same,” said Core Security.
“The files are transferred via HTTP without encryption. An attacker that is able to sniff the network traffic could view the data transferred or perform man-in-the-middle attacks, for example by modifying the content of the transferred files.
“When the application is configured to receive files, an open WiFi hotspot is created without any password. An attacker could connect to that hotspot and capture the information transferred between those devices.”
You couldn’t make this sort of thing up. Lenovo has faced up to the issue, and said that it agrees with the findings. The firm also confirmed that the collection of vulnerabilities would enable remote access and malicious third party control.
In a statement Lenovo did not apologise, but it did say that it would now start to follow industry standards for protecting people. That sounds like a positive to us and should come as a relief to users.
The vulnerabilities may allow remote browsing of a file system and unauthorized access of transferred files by an attacker,” it said.
“Following industry best practice, Lenovo has made available updated versions of ShareIT which fix and eliminate these vulnerabilities in advance of this disclosure. Users can resolve the vulnerability from their devices by updating to the latest version of ShareIT.”
New options are available from the Lenovo website and on the Google Play website. More information is available on a Lenovo support page. There Lenovo said that it had solved the password problem.
“A vulnerability was identified on the Windows version of ShareIT that allows an attacker to join a protected ad hoc Wi-Fi hotspot created by ShareIT by providing a static password that is not able to be changed by the user. A similar vulnerability was identified on the Android version of ShareIT where no password was required to join the ad hoc Wi-Fi hotspot,” it explained.
Windows ShareIT version 3.2.0 and later and Android ShareIT version 3.5.38_ww and later include a new “secure mode” option that resolves the first vulnerability by allowing users to configure a unique password to share files between users, which will prevent unauthorized users from connecting to the ShareIT hotspot.”