Lenovo used third 'worst password' in file-sharing backdoor flaw

You would think the tech giant would know better than to use one of the most obvious, lazy passwords of all time in its software.
Written by Charlie Osborne, Contributing Writer

A number of severe security vulnerabilities have been patched in Lenovo products, one of which involving a hard-coded password which has been awarded the title of the third 'worst password' of all time.

Researchers have disclosed four vulnerabilities in Lenovo ShareIT which could result in information leaks, security protocol bypass and man-in-the-middle (MITM) attacks. Although now patched, one, in particular, places Lenovo's understanding of basic security principles at risk -- as a hard-coded password set as "12345678" opens the door to hotspot Wi-Fi abuse.

In an advisory posted by Core Security, the four vulnerabilities are related to the use of a hard-coded password, information exposure, missing encryption practices for sensitive data and missing authorisation requirements in ShareIT, a program designed for content sharing between files and folders hosted on smartphones, tablets and PCs.

The vulnerabilities below impact Lenovo ShareIT for Android 3.0.18 and Windows, which is the latest version. The security firm says other versions may be affected but were not tested.

The first vulnerability, CVE-2016-1491, is perhaps the one which makes you want to smack your head against your deck. Core Security explains:

"When Lenovo ShareIt for Windows is configured to receive files, a Wi-Fi HotSpot is set with an easy password (12345678). Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same."

According to SplashData, this hard-coded password is hauntingly similar to the top, worst password of all time in 2015: "123456," and matches the third most commonly used -- and one which is pointless to maintain security -- as the password is "12345678." (For those interested, the second worst was "password" itself.)

Lenovo really should know better. By using such lazy default passwords within its software -- especially when they are hard-coded and unchangeable by your average user -- the company is placing consumers and their data at risk.

The second vulnerability, CVE-2016-1490 relates to the remote browsing of file systems within Lenovo ShareIt. Once a Wi-Fi network is active and connected using the default 12345678 password, files can be browsed through but not downloaded via a simple HTTP request, granting attackers the option to wander through data at will.

The third flaw, CVE-2016-1489, reveals that files transferred between Windows and Android machines are shifted in plain text and lack any form of encryption. This is the perfect opportunity for attackers to sniff data packets being transferred, snoop on the data and also perform MITM attacks, which could result in malware infections and file tampering.

Finally, the fourth bug, CVE-2016-1492, was found in ShareIT's file transfer system. Users can open Wi-Fi HotSpots without any password, and so an attacker could connect to that HotSpot and capture the information transferred between Windows and Android devices.

The vulnerabilities were privately disclosed to the Chinese PC maker by Ivan Huertas from Core Security in October 2015. Despite taking over three months to patch the flaws, updates were released on Monday by Lenovo to fix the issues, resulting in a coordinated public disclosure.

10 things you didn't know about the Dark Web

Read on: Top picks

Editorial standards