WavebreakMediaMicro - Fotolia
I read about multiple issues with a Lenovo file-sharing app, called SHAREit, with the primary issue being a hardcoded password contained in the application. What are these flaws in Lenovo SHAREit and what do they enable attackers to do? What's the best way to detect hardcoded password issues in applications?
Lenovo SHAREit is a free file-sharing app that works across multiple operating systems. It lets users share files and folders between smartphones, tablets and personal computers. The benefit of the app is users don't need cables, USBs, email attachments, Bluetooth or to incur mobile data charges to share files between their devices, as it uses a Wi-Fi technology called SoftAP, or software-enabled access point. SoftAP enables a device to become a wireless access point by creating a personal Wi-Fi hotspot to which other devices can connect, similar to the Virtual Wi-Fi functionality introduced by Microsoft in Windows 7.
Researchers at Core Security found multiple vulnerabilities in the Windows and Android versions of Lenovo SHAREit, including the use of a hardcoded password (CVE-2016-1491), information exposure (CVE-2016-1490), missing encryption of sensitive data (CVE-2016-1489) and missing authorization (CVE-2016-1492) -- vulnerabilities which could result in compromised data, leaked information and unauthorized access.
One inexcusable vulnerability is a hardcoded password of "12345678" used to connect to the Wi-Fi hotspot. This allows anyone in range of the Wi-Fi signal to connect just by using that password. The password is always the same and cannot be changed. Once connected, an attacker can browse, but not download files. Files are also transferred over HTTP without encryption, so an attacker who is able to sniff the network traffic could view the data being transferred or perform a man-in-the-middle attack, such as modifying the content of the transferred files.
The latest versions of Lenovo SHAREit include fixes for these and other vulnerabilities, as well as a new secure mode option that allows users to configure a unique password to prevent unauthorized users from connecting to the SHAREit hotspot. This password also acts as a shared key to encrypt files being transferred using AES-256.
It requires painstaking forensic investigation and analysis to determine if an application is using a hardcoded password, but network administrators should treat any software that allows a device to connect to a network without first requiring a password, or some form of authentication, with the upmost suspicion. File-sharing apps that are to be used for business purposes should always be risk assessed and checked against security policy requirements -- for example, ensuring that all sensitive data is encrypted at rest and in motion. Network traffic can be inspected with a tool like Wireshark to verify that sensitive data is encrypted while in transit across an internal or external network.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Read what IT managers should know about file-sharing risks
Learn how to boost enterprise file-sharing apps by integrating with mobile apps
Find out why your enterprise should adopt file sync-and-share products
Dig Deeper on Wireless and mobile security
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading