Posted on 01/26/2016 7:56:56 PM PST by Utilizer
A filesharing utility for Android devices and Windows computers shipped by hardware vendor Lenovo has been found by security researchers to contain multiple, easily exploitable vulnerabilities
CoreSecurity discovered that the free Lenovo SHAREit tool for Windows creates a wi-fi hotspot with the password 12345678, allowing anyone to connect to the system running SHAREit.
On Android devices, SHAREit sets up an open wi-fi hotspot without any password at all, in order to receive files. This could allow attackers to connect to the Android device without authentication and capture information transferred, CoreSecurity said.
The researchers also noted that files were transferred using plain-text hyper text transport protocol (HTTP) with no encryption; this could allow attackers to intercept and modify data in man-in-the-middle scenarios on the same network.
It was also possible to browse - but not download - the file systems on Windows computers with SHAREit active, using a simple request to a webserver and by connecting with the default 12345678 password.
Core Security alerted Lenovo to the vulnerabilities in SHAREit on October 29 last year. Lenovo issued patched versions of SHAREit yesterday.
(Excerpt) Read more at itnews.com.au ...
Links to a bit more info at site.
Computer made in China. Should we expect it *not* to spy in some manner?
That's the password I always use for everything!
</sarcasm>
don’t use the software, but what would be helpful for passwords is the use of different alphabets (Russian, German, Greek, etc.)in English passwords.
Is such a thing possible?
GMTA
It was a secret until you posted this!
If it’s good enough for Hillary, it’s good enough for anyone!
If you know the ASCII code, yes. However, then the problem becomes one of retention. The more convoluted the password created, the more difficult it is to remember it later on.
Nothing more embarrassing than forgetting your own password for a file or project you worked on back in your past.
A couple of years back, NASA IT personnel were preparing some new computers (out of the box new) to deploy at Marshall Space Flight Center. The computers were plugged into the network for configuration. A couple of minutes later a security guy burst into the room and started yanking network cables.
A brand new, “out-of-the-box” Lenovo started uploading to an IP in mainland China.
The moron who approved the deployment of Lenovo Computers at a government installation should be in prison.
that is not something I have too much trouble with.
Thanks for the info.
How is this any different than bunches of companies using administration for user name and password for password when they ship their products?
Not so much. It’s more a problem that a major (*cough*) manufacturer uses it on a Ready-To-Implement mainstream device with no idea (one would hope, giving them the benefit of a doubt) that such an unthinking default immediately leaves the device vulnerable to compromises.
Do you have a reference for that one? I would dearly love to read about it and save it for future usage later on in security consultations.
Lenovo will release no patch before its time.
Nothing written. I talked to one of the IT guys when he was working on a problem in my office. The new contract to supply computers to NASA was an epic disaster. I work at MSFC in Huntsville. NASA should have cancelled the contract and started over.
I just checked Utilizer bank account. He only has $24.96 left in his savings.
Too late. It’s already been donated to the FR support drive. :)
Cheers!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.