I read about multiple issues with a Lenovo file-sharing app, called SHAREit, with the primary issue being a hardcoded...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
password contained in the application. What are these flaws in Lenovo SHAREit and what do they enable attackers to do? What's the best way to detect hardcoded password issues in applications?
Lenovo SHAREit is a free file-sharing app that works across multiple operating systems. It lets users share files and folders between smartphones, tablets and personal computers. The benefit of the app is users don't need cables, USBs, email attachments, Bluetooth or to incur mobile data charges to share files between their devices, as it uses a Wi-Fi technology called SoftAP, or software-enabled access point. SoftAP enables a device to become a wireless access point by creating a personal Wi-Fi hotspot to which other devices can connect, similar to the Virtual Wi-Fi functionality introduced by Microsoft in Windows 7.
Researchers at Core Security found multiple vulnerabilities in the Windows and Android versions of Lenovo SHAREit, including the use of a hardcoded password (CVE-2016-1491), information exposure (CVE-2016-1490), missing encryption of sensitive data (CVE-2016-1489) and missing authorization (CVE-2016-1492) -- vulnerabilities which could result in compromised data, leaked information and unauthorized access.
One inexcusable vulnerability is a hardcoded password of "12345678" used to connect to the Wi-Fi hotspot. This allows anyone in range of the Wi-Fi signal to connect just by using that password. The password is always the same and cannot be changed. Once connected, an attacker can browse, but not download files. Files are also transferred over HTTP without encryption, so an attacker who is able to sniff the network traffic could view the data being transferred or perform a man-in-the-middle attack, such as modifying the content of the transferred files.
The latest versions of Lenovo SHAREit include fixes for these and other vulnerabilities, as well as a new secure mode option that allows users to configure a unique password to prevent unauthorized users from connecting to the SHAREit hotspot. This password also acts as a shared key to encrypt files being transferred using AES-256.
It requires painstaking forensic investigation and analysis to determine if an application is using a hardcoded password, but network administrators should treat any software that allows a device to connect to a network without first requiring a password, or some form of authentication, with the upmost suspicion. File-sharing apps that are to be used for business purposes should always be risk assessed and checked against security policy requirements -- for example, ensuring that all sensitive data is encrypted at rest and in motion. Network traffic can be inspected with a tool like Wireshark to verify that sensitive data is encrypted while in transit across an internal or external network.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Read what IT managers should know about file-sharing risks
Learn how to boost enterprise file-sharing apps by integrating with mobile apps
Find out why your enterprise should adopt file sync-and-share products
Dig Deeper on Wireless and mobile security
Related Q&A from Michael Cobb
Can two-factor authentication be applied to a mobile device that's used as a 2FA factor? Michael Cobb explores the different knowledge factors and ...continue reading
Running a private certificate authority can pose significant risks and challenges to meet baseline requirements. Michael Cobb explores what ...continue reading
A recently discovered Android app permissions flaw can expose users to attacks. Michael Cobb explains what the risks are and how Android O security ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.