Tangible Security researchers Mike Baucom, J. Rach, and Allen Harper discovered critical vulnerabilities in a wireless network storage device by Seagate.
The following devices with firmware versions 2.2.0.005 and 2.3.0.014, dating to October 2014, are vulnerable to three attack vectors (below). Other firmware versions may be affected.
- Seagate Wireless Plus Mobile Storage
- Seagate Wireless Mobile Storage
- LaCie FUEL
The vulnerabilities are:
Use of Hard-coded Credentials
- Vulnerability Description: The affected device firmware contains undocumented Telnet services accessible by using the default credentials of 'root' as username and the default password
- Impact Description: an attacker can covertly take control of the device, not only compromising the confidentiality of files stored on it but use it as a platform to conduct malicious operations beyond the device
- Vulnerability Description: The affected device firmware provides unrestricted file download capability
- Impact Description: Attackers can gain access all files stored in affected devices. This vulnerability requires attackers to be within range of the device’s wireless network
- Vulnerability Description: The affected device firmware provides a file upload capability to the device's /media/sda2 file system, which is reserved for the file sharing
- Impact Description: this vulnerability requires attackers to be within range of the device’s wireless network, who can upload files onto it. If such files were maliciously crafted, they could compromise other endpoints when the files are opened
Solution Seagate has posted firmware updates that patch these vulnerabilities. [https://apps1.seagate.com/downloads/request.html]
We urge users of these devices, including older and newer models, to download and install the latest firmware updates available from Seagate that address these vulnerabilities. Failing to do so exposes those benefiting from the use of these devices to cyber crime risks.
- Vendor contacted and details of vulnerabilities disclosed - March 18, 2015
- Vendor confirmed vulnerabilities - March 30, 2015
- Patch tested/confirmed by Tangible Security - July 8, 2015
- US CERT coordinates release of advisory with vendor - July 20, 2015
- US CERT publishes advisory- September 1, 2015