Lenovo's file-sharing app uses hardwired password '12345678' ... or no password at all
Lenovo ShareIT users, get patching: the PC maker's file-sharing app is pretty much unsecured.
The software runs on Windows and Android devices, and creates a Wi-Fi hotspot allowing data to be exchanged – from phone to PC, PC to phone, etc. But the wireless network is pretty much unsecured on both platforms.
In ShareIT for Windows, the Wi-Fi uses “12345678” as a hardcoded password, while in Android, there's no password at all. If someone logs into the Wi-Fi hotspot on Windows, they can browse, but not download, files on the machine.
Core Security, which found the design flaw, also note that file transfers in Windows and Android aren't encrypted. If an attacker was logged into the hotspot on either side of a file transfer, traffic sniffing would yield a copy of the transfer.
Lenovo's latest versions are available here. Get 'em. ®