Jan
27
2016

Lenovo Grilled By Security Researchers over poor ShareIT Security

Computer users often make very basic mistakes that make more sensible people wonder just what they were thinking. Case in point: passwords. Splashdata recently published its fifth annual list of the most commonly-used passwords by computer users in North America and Western Europe; and many people will be hitting their heads against their desks when they learn that obvious choices like "password" and "12345678" still top the list.

While you can expect individuals to make basic mistakes like these, you would assume actual computer manufacturers would be smarter. But if the latest headlines are to be believed, it seems Lenovo's software developers could do with reading this list themselves. As revealed in an advisory posted by Core Security, Lenovo's ShareIT file-sharing software – built in to their computers – has a very serious password-related flaw.

How bad? The Wi-Fi Network created and used for transferring files between Windows computers "securely" uses a very predictable password: 12345678. Even worse, this password is "hardcoded" into the software, making it impossible for users to change it to something much more secure. The problem is even worse for Android users, where the ShareIT app has no password at all, leaving the network entirely open for anyone within radio range to connect to.

The implications for the security of transferred files is serious. Merely using a web browser to connect to a ShareIT network can reveal all the files currently stored on the platform by the affected user. While the files cannot be downloaded this way, the researchers also discovered that the files are transferred insecurely, without any kind of encryption, meaning the simple use of a traffic sniffer once connected could allow anyone to obtain a copy of any transferred file.

Luckily, the flaws may not exist much longer. Lenovo claim that since being made aware of the issues in October last year, the company has worked to bring the software up to snuff. Those running ShareIT on Windows or Android are now advised to download the latest version of the software from the ShareIT website, which was released this week and claims to resolve all the issues found by the Core Security researchers. Given that this is not the first time Lenovo have been found to engage in shady security practices, however, it may be time to think twice about that ThinkPad.

Comments are closed.