Certain Seagate Wireless HDDs Susceptible To Embarrassing Root Exploit, Allows Hackers To Snatch User Data
Here we go again. Researchers for Tangible Security have discovered three major vulnerabilities which strike at least three different Seagate enclosures - the Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL - equipped with firmware 2.2.0.005 or 2.3.0.014. As these things go, other devices and firmware versions could be affected; these are just the ones the researchers have been able to confirm.
The first bug, named CVE-2015-2874, relates to an installed telnet server that grants root access with a default password. If login is granted, havoc can be wreaked - at the very least, data could be easily deleted. The second bug is called CVE-2015-2875 and allows attackers total access over the storage, while the third, CVE-2015-2876, could allow attackers to upload malicious software through the device's standard sharing feature.
People don't expect DOD-level security but, Seagate, please stop adding hidden hardcoded root logins to hard drives. http://t.co/SmoVTaaJaV— Kenn White (@kennwhite) September 6, 2015
There's no denying that these are severe vulnerabilities, but this is one of those rare times when we're able to pen a post like this and actually relay that fixes have already been issued. If you own one of these devices, it's highly recommended that you go to Seagate's support site and download the latest firmware update.
There is a slight concern, though. Tangible contacted Seagate on March 18 of this year with word of these vulnerabilities, and it took 12 days before the company actually confirmed them. It then took more than three months for Tangible to receive a patch for testing, and then all the way until September 1 when US CERT published the advisory. That makes for a solid five months that consumers were left exposed to an unknown (to them) bug. As if we've needed more proof of it, this should again highlight the fact that companies need to begin taking security a lot more seriously. Vulnerabilities like these should not feel like standard fare.