Lenovo has been raked over the coals by security researchers once again, this time for a string of blunders in its ShareIT software package.
Lenovo was rightly castigated in February last year for
installing man-in-the-middle software on its devices, decrypting TSL-protected communications in order to insert advertising - and, even worse, leaving the entire system open to attack by installing a self-signed root certificate whose private key was readily available. The company
promised to change its ways in March, but was
back to its old tricks in August as it saw its PC profits plunge.
This time around, at least the security issue is relatively accidentally - albeit boneheaded. In an advisory posted by
Core Security, researchers have detailed how Lenovo's software team made a string of schoolboy errors when developing the bundled ShareIT file-sharing software for the company's Windows and Android machines. Perhaps the biggest of these gaffes relates to password usage: the Wi-Fi network created by the software for sharing files from a Windows machine is 'protected' by the hard-coded and non-configurable shared key '12345678,' while the Android version uses no password at all - leaving the network entirely open for anyone within radio range to connect.
Once connected, interested parties don't have to put too much effort into sniffing out the files on offer either. Connecting to any ShareIT system with a simple web browser will reveal a list of shared files, and while they're not directly downloadable the files are transferred between machines using no encryption - meaning anyone on the network can simply passively sniff the traffic and capture perfect copies of any transferred file.
Since the issues were reported to Lenovo in October of last year, the company has worked to bring the software up to snuff resulting in the
release of an updated version this week, claimed to resolve the flaws uncovered by Core Security researchers. Anyone who makes use of ShareIT on any Windows or Android system is recommended to upgrade as soon as possible.
Want to comment? Please log in.