Some in the IT security industry are asking just what’s happening at Lenovo, and has it lost the security plot?
Less than a year after Superfish, Lenovo is making the security news once more for all the wrong reasons. Four vulnerabilities were found by Core Security, and thankfully now fixed by Lenovo, impacting some users of Lenovo’s SHAREit app. In the Android version of the app, no password was required to join an ad-hoc Wi-Fi hotspot that it created. And if you thought that was pretty poor on the security front, some ThinkPad and IdeaPad devices opted instead for a hard-coded password of 12345678. This would all be bad enough news for the PC manufacturer, but it gets worse when you realise that in the space of less than a year things have also gone pear-shaped in the form of the Lenovo Service Engine rootkit row and the Lenovo System Update privilege escalation vulnerability row.
Of course, just because a computing giant finds itself at the pointy end of a handful of security scares does not mean there is a culture of insecurity being fostered within the company. Were that the case then the same allegation could be made in the direction of myriad hardware and software vendors. Nonetheless, SCMagazineUK.com contacted Lenovo and put it to them that some might suggest a culture of insecurity exists.
