View All R&D Articles

Security Issues Affect Some Seagate Wireless Hard Drives

September 9, 2015

Security flaws in some wireless hard drives could give hackers access to sensitive information.

The issues primarily affect Seagate and LaCie wireless storage products, especially the Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL.

Firmware versions 2.2.0.005 and 2.3.0.014 are known to be affected by the vulnerabilities. However, other firmware versions may be affected, according to CERT/CC (Computer Emergency Response Team Coordination Center), the federally funded organization that announced the discovery of the flaws.

To check your firmware version, you can load the Seagate Wireless Plus menu in your browser and select the appropriate option from the Settings -> About menu.

The vulnerabilities are as followed (the following text is taken directly from the CERT announcement):

CWE-798: Use of Hard-coded Credentials – CVE-2015-2874

Some Seagate wireless storage products provide undocumented Telnet services accessible by using the default credentials of ‘root’ as username and the default password.

CWE-425: Direct Request (‘Forced Browsing’) – CVE-2015-2875

Under a default configuration, some Seagate wireless storage products provides an unrestricted file download capability to anonymous attackers with wireless access to the device. An attacker can directly download files from anywhere on the filesystem.

CWE-434: Unrestricted Upload of File with Dangerous Type – CVE-2015-2876

Under a default configuration, some Seagate wireless storage products provides a file upload capability to anonymous attackers with wireless access to the device’s /media/sda2 filesystem. This filesystem is reserved for file-sharing.

Read the full report here.

These are significant security vulnerabilities, since they could allow an attacker to access a wireless Seagate or LaCie device. The attacker could then read, change, or delete files from the hard drive.

According to Seagate, “affected users are encouraged to update the firmware as soon as possible.” The revised firmware can be downloaded from Seagate’s website. CERT also recommends the firmware update as a solution.

As with any firmware upgrade, we strongly recommend backing up data before starting the update process. Data loss can occur if the update is interrupted for any reason. Users should also review passwords on any network-attached storage device to ensure security.

Summary
Security Issues Affect Some Seagate Wireless Hard Drives
Article Name
Security Issues Affect Some Seagate Wireless Hard Drives
Description
Security flaws in some Seagate and LaCie wireless hard drives could give hackers access to sensitive information.
Author