Security flaws in some wireless hard drives could give hackers access to sensitive information.
The issues primarily affect Seagate and LaCie wireless storage products, especially the Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL.
Firmware versions 2.2.0.005 and 2.3.0.014 are known to be affected by the vulnerabilities. However, other firmware versions may be affected, according to CERT/CC (Computer Emergency Response Team Coordination Center), the federally funded organization that announced the discovery of the flaws.
To check your firmware version, you can load the Seagate Wireless Plus menu in your browser and select the appropriate option from the Settings -> About menu.
The vulnerabilities are as followed (the following text is taken directly from the CERT announcement):
CWE-798: Use of Hard-coded Credentials – CVE-2015-2874
Some Seagate wireless storage products provide undocumented Telnet services accessible by using the default credentials of ‘root’ as username and the default password.
CWE-425: Direct Request (‘Forced Browsing’) – CVE-2015-2875
Under a default configuration, some Seagate wireless storage products provides an unrestricted file download capability to anonymous attackers with wireless access to the device. An attacker can directly download files from anywhere on the filesystem.
CWE-434: Unrestricted Upload of File with Dangerous Type – CVE-2015-2876
Under a default configuration, some Seagate wireless storage products provides a file upload capability to anonymous attackers with wireless access to the device’s /media/sda2 filesystem. This filesystem is reserved for file-sharing.
These are significant security vulnerabilities, since they could allow an attacker to access a wireless Seagate or LaCie device. The attacker could then read, change, or delete files from the hard drive.
According to Seagate, “affected users are encouraged to update the firmware as soon as possible.” The revised firmware can be downloaded from Seagate’s website. CERT also recommends the firmware update as a solution.
As with any firmware upgrade, we strongly recommend backing up data before starting the update process. Data loss can occur if the update is interrupted for any reason. Users should also review passwords on any network-attached storage device to ensure security.
