As a warning to users of Seagate’s line of wireless hard drives, a group of researchers at Tangible Security has discovered a security hole in a few specific Seagate wireless drives.
The vulnerability, which can reportedly provide unauthorized users with root access to the drive, is said to activate undocumented Telnet services using a default username and password combo. Telnet, a simple command line procedure, actually allows attackers to log in to someone else’s computer over an Internet or local network connection.
Anyone who opts to exploit this flaw could, quite effortlessly, dictate your hard drive as their own, enabling them to steal files or even to deploy malicious attacks against other people’s computers from your hard drive. Especially concerning is that both the default username and password required for root access is simply the word ‘root,’ making the barrier of entry for aggressors distressingly low.
Another hole spotted by the research firm allegedly allows an unrestricted capability to download files when within the parameters of a device’s wireless network. This could prove detrimental in the case where the attacker is located nearby. And a third flaw permits attackers to upload any file they’d like to the affected wireless hard drive. This, of course, isn’t limited to potentially hazardous files used to brick the devices attached to the drive or even the drive itself.
Fortunately, Seagate has already issued a fix, with help from Tangible Security, to the susceptibility, which seems to have affected those with either a Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, or a LaCie Fuel purchased between now and October 2014.
On the downside, however, Tangible has reported that other Seagate products may also be afflicted by the flaw.
“With products from large vendors such as Seagate, there tend to be numerous product names for basically the same product under the same vendor’s name or another vendor,” writes the research firm. “Tangible Security cannot enumerate all of the named products as well as Seagate. Other named products may be affected.”
If you’re using a wireless Seagate hard drive donning either firmware version 2.2.0.005 or 2.3.0.014, Seagate has made available an update to version 3.4.1.105 that repairs these vulnerabilities. To check if your drive is at-risk, it’s recommended that you search for a firmware update using Seagate’s Download Finder. Make sure to do it soon, as Tangible Security claims that this uncompromising vulnerability has been active for at least a week now and is sure to become more infectious as time goes by without action taken.
