Several of Seagate’s wireless hard disk drives (HDDs) contain multiple vulnerabilities, including “undocumented Telnet services” that hackers could access by using the default credentials of “root” for the username and password of a built-in user account, Cert.org reports. Attackers could siphon off any or all of the data on the drives, and perhaps plant some neat booby traps or files of their own.
Advertisement
The researchers said that they had informed Seagate about all the three vulnerabilities and Seagate is issuing firmware update to fix these issues.
A CERT announcement confirmed that the flaws could be used to inject malicious files onto the WiFi drives, taking control of or infecting connected devices. An attacker can directly download files from anywhere on the filesystem.
As it happens with brands as powerful as Seagate, there is more than one name on the market for each product, which in fact means that the vulnerability circle could be much wider.
Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and the company’s LaCie Fuel hard drives are said to be affected by the flaw.
Firmware on the devices affected ranges from 2.2.0.005 and 2.3.0.014, dating to October 2014, however it is noted that other firmware versions may be affected.
Accolades go to Allen Harper, J. Rach and Mike Baucom from Tangible Security, who uncovered essential liabilities in the wireless storage hardware manufactured by Seagate. You’ll want to download the patch as soon as possible if your drive is affected. There’s an upload vulnerability, as well: with the default configuration, attackers can upload anything they wish to the drives’ file sharing partition. Customers may download the firmware from Seagate’s website. That will locate the firmware you need.
Advertisement
According to Seagate, “all security concerns with these vulnerabilities” have been fixed, and users have nothing to worry about any longer, as long as they have the 3.4.1.105 update installed on their devices.
