Seagate drives vulnerable thanks to hidden root account and other vulnerabilities

Martin Brinkmann
Sep 7, 2015
Updated • Sep 8, 2015

A security advisory posted on September 1 and revised on September 2 reveals that select Seagate wireless hard-drives are affected by multiple vulnerabilities including one that is taking advantage of hard-coded credentials.

The vulnerability in question exploits an undocument Telnet service that is running on the drives by using the default credentials "root" as the username and the default password.

The main issue here is that the credentials are hard-coded and always the same so that attackers can exploit the vulnerability easily on all affected drives. It may even be possible to take control of the devices in a way that they are used " as a platform to conduct malicious operations beyond the device" according to Tangible Security who discovered the vulnerability.

seagate wireless hard drives vulnerabilities

The affected devices in question are the following ones:

  • Seagate Wireless Plus Mobile Storage
  • Seagate Wireless Mobile Storage
  • LaCie FUEL

The drives are affected by two additional vulnerabilities. The first attack is carried out if the default drive configuration is not modified. It allows attackers with (wireless) access to affected devices to download files from them without authentication.

The vulnerabilities exploits improperly protected resources on the device which can be accessed without authentication.

The third and final vulnerability provides attackers with the means to upload files to affected devices under a default configuration.

The three vulnerabilities give attackers full access to files stored on these wireless hard drives, often without the owner of the device knowing about them.

Seagate has released a new firmware for all affected drives that patches these issues. End users and administrators who want to download these patches need to enter one or multiple serial numbers on Seagate's Download Finder website to display the downloads.

The easiest way to reveal the serial number of a Seagate hard drive is to use the company's Drive Detect software.

Note: It is recommended to back up data on affected drives before upgrading the firmware.

Seagate was informed about the vulnerabilities by Tangible Security on March 18, 2015 while the vulnerability itself dates back as early as October 2014.

Closing Words

The vulnerabilities exploit rookie mistakes that should not happen, especially not by one of the largest storage manufacturers of the world.

Seagate device owners should head over to the official site right away to download the latest firmware for their device to patch all three vulnerabilities. (via ZDnet)

Seagate drives vulnerable thanks to hidden root account and other vulnerabilities
Article Name
Seagate drives vulnerable thanks to hidden root account and other vulnerabilities
Several Seagate wireless hard-drives are affected by vulnerabilities that allow attackers to download and upload files.

Previous Post: «
Next Post: «


  1. Ron C. said on September 7, 2015 at 10:11 pm

    Were companies always this sloppy, and it’s just getting easier to spot these mistakes?

    1. Martin Brinkmann said on September 7, 2015 at 10:14 pm

      Good question. One would assume that once something like this goes public, no company would ever make use of such a feature or implementation. Apparently, this is not the case.

      1. ilev said on September 8, 2015 at 8:12 am

        Martin, you are wrong in your assumption. Manufacturers will continue to use hard coded user/password …

        Example : Several DSL routers from different manufacturers contain a guessable hard-coded password that allows accessing the devices with a hidden administrator account.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.