WavebreakMediaMicro - Fotolia
I read about multiple issues with a Lenovo file-sharing app, called SHAREit, with the primary issue being a hardcoded password contained in the application. What are these flaws in Lenovo SHAREit and what do they enable attackers to do? What's the best way to detect hardcoded password issues in applications?
Lenovo SHAREit is a free file-sharing app that works across multiple operating systems. It lets users share files and folders between smartphones, tablets and personal computers. The benefit of the app is users don't need cables, USBs, email attachments, Bluetooth or to incur mobile data charges to share files between their devices, as it uses a Wi-Fi technology called SoftAP, or software-enabled access point. SoftAP enables a device to become a wireless access point by creating a personal Wi-Fi hotspot to which other devices can connect, similar to the Virtual Wi-Fi functionality introduced by Microsoft in Windows 7.
Researchers at Core Security found multiple vulnerabilities in the Windows and Android versions of Lenovo SHAREit, including the use of a hardcoded password (CVE-2016-1491), information exposure (CVE-2016-1490), missing encryption of sensitive data (CVE-2016-1489) and missing authorization (CVE-2016-1492) -- vulnerabilities which could result in compromised data, leaked information and unauthorized access.
One inexcusable vulnerability is a hardcoded password of "12345678" used to connect to the Wi-Fi hotspot. This allows anyone in range of the Wi-Fi signal to connect just by using that password. The password is always the same and cannot be changed. Once connected, an attacker can browse, but not download files. Files are also transferred over HTTP without encryption, so an attacker who is able to sniff the network traffic could view the data being transferred or perform a man-in-the-middle attack, such as modifying the content of the transferred files.
The latest versions of Lenovo SHAREit include fixes for these and other vulnerabilities, as well as a new secure mode option that allows users to configure a unique password to prevent unauthorized users from connecting to the SHAREit hotspot. This password also acts as a shared key to encrypt files being transferred using AES-256.
It requires painstaking forensic investigation and analysis to determine if an application is using a hardcoded password, but network administrators should treat any software that allows a device to connect to a network without first requiring a password, or some form of authentication, with the upmost suspicion. File-sharing apps that are to be used for business purposes should always be risk assessed and checked against security policy requirements -- for example, ensuring that all sensitive data is encrypted at rest and in motion. Network traffic can be inspected with a tool like Wireshark to verify that sensitive data is encrypted while in transit across an internal or external network.
Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Read what IT managers should know about file-sharing risks
Learn how to boost enterprise file-sharing apps by integrating with mobile apps
Find out why your enterprise should adopt file sync-and-share products
Dig Deeper on Wireless and mobile security
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading