Lenovo blunder means '12345678' used as password for default file sharing app

Easy to exploit password flaw could leave data unencrypted

Lenovo has been forced to release urgent software fixes after a number of embarrassing flaws were uncovered in its products, including one that left a hard-coded password set to '12345678' by default.

Researchers at Core Security posted an advisory that listed four vulnerabilities in Lenovo's ShareIT function that could result in man-in-the-middle attacks, information leaks and the bypassing of encryption.

ShareIT is a free Lenovo application that lets users share files and folders between computers, smartphones and tablets.

The flaws affect ShareIT for Android 3.0.18 and Windows 2.5.1.1. Other products and versions may also be affected, but they were not tested.

The first security update (CVE-2016-1491) fixes a hard-coded password flaw affecting Windows that leaves WiFi hotspots open to exploitation.

"When Lenovo ShareIT for Windows is configured to receive files, a WiFi hotspot is set with an easy password (12345678). Any system with a WiFi network card could connect to that hotspot by using that password. The password is always the same," explained the advisory.

The second flaw (CVE-2016-1490) affects remote browsing of file sharing in ShareIT. When the WiFi network is ‘on and connected' using the default password, files can be sifted through with a simple HTTP request. Again, this default password was set to '12345678'.

The third problem (CVE-2016-1489) fixes a fault that left files transferred in ShareIT without encryption. "An attacker that is able to sniff the network traffic could view the data transferred or perform man-in-the-middle attacks, for example by modifying the content of the transferred files," the advisory said.

The final update (CVE-2016-1492) fixes a bug that could allow an attacker to connect to a WiFi hotspot and capture data transferred between connected devices. Additionally, an open WiFi hotspot could be created without the need for a password.

Core Security revealed that the problems were reported to Lenovo in October, and the fixes were finally rolled out on 25 January.

It is not the first time that Lenovo has made such a security blunder. The firm faced a backlash last year after it was found that the Superfish adware installed on Lenovo machines collected sensitive data such as web traffic information using fake, self-signed, certificates.