Security researchers have discovered that Seagate’s popular wireless NAS drives are open to exploit due to a raft of vulnerabilities that grants an attacker with unauthorized access to data on the drive.
Security researchers at Tangible Security have discovered multiple vulnerabilities in Seagate wireless hard drives that allow “unrestricted file download capability” to malicious attackers who gain wireless access to the hard drive, reports The Register.
According to the researchers, an external Telnet feature could potentially be used to gain access to the device. Gaining control of the hard drive comes next, with the simple implementation of the username ‘root’ and the default hardcoded password. Other vulnerabilities include unauthorized browsing and downloading of files. Certain malicious files are granted permissions to be uploaded too, researchers say.
Notably, the affected drives include:
- Seagate Wireless Plus Mobile Storage
- Seagate Wireless Mobile Storage
- LaCie FUEL drives, among others.
The vulnerabilities are said to exist with firmware versions 2.2.0.005 to 2.3.0.014. Although the vulnerabilities were originally discovered back in March, a patch has only recently been published, in tandem with an advisory from US-CERT.
Tangible Security issued an announcement of their own, saying:
“With products from large vendors such as Seagate, there tend to be numerous product names for basically the same product under the same vendor’s name or another vendor. Tangible Security cannot enumerate all of the named products as well as Seagate. Other named products may be affected.”
The vulnerabilities are:
- User of Hard-coded Credentials
- Direct Request (“Forced Browsing”)
- Unrestricted Upload of File with Dangerous Type
There have been no reports or instances of any public exploits of these vulnerabilities yet, according to researchers at Tangible security.
In their announcement, Tangible Security insists on the importance of downloading and installing the new firmware update available from Seagate to patch the vulnerabilities. The researchers also warn that the failure to install the new update exposes the devices to cybercrime risks.
Seagate has made the new firmware with the necessary patches available and insisted that the update “addresses all security concerns with these vulnerabilities.”
The firmware update is available for download here.