The Lenovo Shareit app which is used for file sharing has been identified to possess a critical security vulnerability having a hardcoded password. Learn more about the problem in our article.
What is Lenovo Shareit
Lenovo Shareit is an application for Android, Windows, iOS, Windows Phone and Mac Os X devices that allows for easy file transfer. It uses a technology called SoftAP (Software-enabled access point) to transfer the files. This is basically the creation of a personal Wi-Fi hotspot which other devices can connect to. This is a very useful approach as it does not require any complex configurations, cables or Bluetooth access. Shareit is one of the most popular applications of this type having been downloaded by millions of users in Google Play alone.
The app also features some additional capabilities which are quite useful – the control of Powerpoint presentations via smart devices, easy transfer of contacts, messages and whole applications when migrating to a new device and an easy interactive menu.
The Lenovo ShareIt Vulnerabilities
Security researchers from Core Security discovered multiple vulnerabilities in both the Windows and Android versions of the application. The problems include the following issues:
- Hardcoded Password in the Hotspot Feature (CVE-2016-1491) – The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows, when configured to receive files, has a hardcoded password of 12345678, which makes it easier for remote attackers to obtain access by leveraging a position within the WLAN coverage area.
- The WiFi Hotspot Feature Allows Remote Atackers to Obtain Sensitive Information (CVE-2016-1490) – The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows allows remote attackers to obtain sensitive file names via a crafted file request to /list.
- Cleartext Communication in the Windows and Android Versions of the App (CVE-2016-1489) – Lenovo SHAREit before 3.2.0 for Windows and SHAREit before 3.5.48_ww for Android transfer files in cleartext, which allows remote attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors.
- The WiFi Hotspot Feature Doe Not Require a Password for Authentication (CVE-2016-1492) – The Wifi hotspot in Lenovo SHAREit before 3.5.48_ww for Android, when configured to receive files, does not require a password, which makes it easier for remote attackers to obtain access by leveraging a position within the WLAN coverage area.
The latest versions of the Lenovo Shareit app feature updates that amend these issues and add a new security feature which allows device owners to set up a unique password which prevents unauthorized usage from connecting to the hotspot. This password is also used as a shared key that encrypts the files with an AES-256 cipher.
The Issue is Now Amended
Lenovo has reached out to us with information about the issue. The security team has released critical patches that amend the bug.
The company has also shared their mitigation strategy to protect users from exploits due to the vulnerability:
- All SHAREit users should update to the latest versions by applying the new security updates released by the company
- All SHAREit users should ensure that they are using the “secure mode” feature available in the software. To activate it browse to the settings screen and select the “Secure mode” option.
For more detailed information check out the company’s statement for instructions.