Seagate drives vulnerable thanks to hidden root account and other vulnerabilities
A security advisory posted on September 1 and revised on September 2 reveals that select Seagate wireless hard-drives are affected by multiple vulnerabilities including one that is taking advantage of hard-coded credentials.
The vulnerability in question exploits an undocument Telnet service that is running on the drives by using the default credentials "root" as the username and the default password.
The main issue here is that the credentials are hard-coded and always the same so that attackers can exploit the vulnerability easily on all affected drives. It may even be possible to take control of the devices in a way that they are used " as a platform to conduct malicious operations beyond the device" according to Tangible Security who discovered the vulnerability.
The affected devices in question are the following ones:
- Seagate Wireless Plus Mobile Storage
- Seagate Wireless Mobile Storage
- LaCie FUEL
The drives are affected by two additional vulnerabilities. The first attack is carried out if the default drive configuration is not modified. It allows attackers with (wireless) access to affected devices to download files from them without authentication.
The vulnerabilities exploits improperly protected resources on the device which can be accessed without authentication.
The third and final vulnerability provides attackers with the means to upload files to affected devices under a default configuration.
The three vulnerabilities give attackers full access to files stored on these wireless hard drives, often without the owner of the device knowing about them.
Seagate has released a new firmware for all affected drives that patches these issues. End users and administrators who want to download these patches need to enter one or multiple serial numbers on Seagate's Download Finder website to display the downloads.
The easiest way to reveal the serial number of a Seagate hard drive is to use the company's Drive Detect software.
Note: It is recommended to back up data on affected drives before upgrading the firmware.
Seagate was informed about the vulnerabilities by Tangible Security on March 18, 2015 while the vulnerability itself dates back as early as October 2014.
The vulnerabilities exploit rookie mistakes that should not happen, especially not by one of the largest storage manufacturers of the world.
Seagate device owners should head over to the official site right away to download the latest firmware for their device to patch all three vulnerabilities. (via ZDnet)
Were companies always this sloppy, and it’s just getting easier to spot these mistakes?
Good question. One would assume that once something like this goes public, no company would ever make use of such a feature or implementation. Apparently, this is not the case.
Martin, you are wrong in your assumption. Manufacturers will continue to use hard coded user/password …
Example : Several DSL routers from different manufacturers contain a guessable hard-coded password that allows accessing the devices with a hidden administrator account.