Ask anyone to name a basic security protection to prevent hackers from gaining access to a device or network, and the use of a secure password would feature pretty high up that list. However, even a tech giant the size of Lenovo can fail to implement secure passwords. Recent Lenovo SHAREit vulnerabilities have been discovered, one of which involves the use of a hard-coded password that ranks as one of the easiest to guess.
Recently, SplashData published a list of the 25 worst passwords of 2015, and the one chosen by Lenovo is listed in position three between “password” and “qwerty.” To all intents and purposes, Lenovo may well not have bothered adding a password at all, such is the degree of security that the password offers. That password has also been hardcoded.
In fact, the company didn’t actually bother with adding a password at all in one of the new SHAREit vulnerabilities.
Four Lenovo SHAREit vulnerabilities have now been patche
Lenovo SHAREit is a free cross-platform file transfer tool that allows the sharing of files across multiple devices, including PCs, tablets and Smartphones. Perhaps unsurprisingly, given Lenovo has been found to be installing irremovable software via Rootkit and shipping its laptops with pre-installed spyware, some security vulnerabilities exist in its SHAREit software.
Four new Lenovo SHAREit vulnerabilities have been discovered showing some shocking security lapses by the Chinese laptop manufacturer. If the Lenoto SHAREit vulnerabilities are exploited, they could result in leaked information, integrity corruption, and security protocol bypasses, and be used for man-in-the-middle attacks.
The hardcoding of the password 12345678, listed as CVE-2016-1491 by Core Security, is shocking. Configure Lenovo ShareIt for Windows to receive files, and 12345678 is set as the password for a Wi-Fi hotspot. The password is always the same and any system with a Wi-Fi Network could connect.
According to Core Security, if the Wi-Fi network is on and connected, files can be browsed by performing an HTTP Request to the WebServer launched by Lenovo SHAREit, although they cannot be downloaded. (CVE-2016-1490).
The third vulnerability, named CVE-2016-1489, is the transfer of files in plain text via HTTP without encryption. A hacker could not only view those files but also modify the content.
The fourth SHAREit vulnerability, CVE-2016-1492, concerns SHAREit for Android. When configured to receive files, an open Wi-Fi HotSpot is created and no password is set. If a hacker were to connect, the transferred files could be intercepted.
Core Security did disclose the Lenovo SHAREit vulnerabilities privately in October last year to allow a patch to be developed. Now that the patch has been issued to plug the vulnerabilities, Core Security has published the details.