WavebreakMediaMicro - Fotolia

Get started Bring yourself up to speed with our introductory content.

Lenovo SHAREit: How does its hardcoded password vulnerability work?

The Lenovo SHAREit file-sharing app has a hardcoded password vulnerability, among other issues. Expert Michael Cobb explains these flaws and how to prevent exploits on them.

I read about multiple issues with a Lenovo file-sharing app, called SHAREit, with the primary issue being a hardcoded password contained in the application. What are these flaws in Lenovo SHAREit and what do they enable attackers to do? What's the best way to detect hardcoded password issues in applications?

Lenovo SHAREit is a free file-sharing app that works across multiple operating systems. It lets users share files and folders between smartphones, tablets and personal computers. The benefit of the app is users don't need cables, USBs, email attachments, Bluetooth or to incur mobile data charges to share files between their devices, as it uses a Wi-Fi technology called SoftAP, or software-enabled access point. SoftAP enables a device to become a wireless access point by creating a personal Wi-Fi hotspot to which other devices can connect, similar to the Virtual Wi-Fi functionality introduced by Microsoft in Windows 7.

Researchers at Core Security found multiple vulnerabilities in the Windows and Android versions of Lenovo SHAREit, including the use of a hardcoded password (CVE-2016-1491), information exposure (CVE-2016-1490), missing encryption of sensitive data (CVE-2016-1489) and missing authorization (CVE-2016-1492) -- vulnerabilities which could result in compromised data, leaked information and unauthorized access.

One inexcusable vulnerability is a hardcoded password of "12345678" used to connect to the Wi-Fi hotspot. This allows anyone in range of the Wi-Fi signal to connect just by using that password. The password is always the same and cannot be changed. Once connected, an attacker can browse, but not download files. Files are also transferred over HTTP without encryption, so an attacker who is able to sniff the network traffic could view the data being transferred or perform a man-in-the-middle attack, such as modifying the content of the transferred files.

The latest versions of Lenovo SHAREit include fixes for these and other vulnerabilities, as well as a new secure mode option that allows users to configure a unique password to prevent unauthorized users from connecting to the SHAREit hotspot. This password also acts as a shared key to encrypt files being transferred using AES-256.

It requires painstaking forensic investigation and analysis to determine if an application is using a hardcoded password, but network administrators should treat any software that allows a device to connect to a network without first requiring a password, or some form of authentication, with the upmost suspicion. File-sharing apps that are to be used for business purposes should always be risk assessed and checked against security policy requirements -- for example, ensuring that all sensitive data is encrypted at rest and in motion. Network traffic can be inspected with a tool like Wireshark to verify that sensitive data is encrypted while in transit across an internal or external network.

Ask the Expert: Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Read what IT managers should know about file-sharing risks

Learn how to boost enterprise file-sharing apps by integrating with mobile apps

Find out why your enterprise should adopt file sync-and-share products

This was last published in July 2016

Dig Deeper on Wireless and mobile security