Backdoor Discovered Into Seagate NAS Drives

Mark Wilson writes: If you have not recently updated the firmware for your Seagate wireless NAS drives, now is the time to do so. Researchers at Tangible Security have discovered a series of vulnerabilities in a number of devices produced by Seagate that could allow unauthorized access to files and settings. An undocumented Telnet feature could be used to gain control of the device by using the username 'root' and the hardcoded default password. There are also other vulnerabilities that allow for unauthorized browsing and downloading of files, as well as permitting malicious files to be uploaded. Tangible Security says that Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL drives are affected, but there may also be others. The security issues are confirmed to exist with firmware versions 2.2.0.005 to 2.3.0.014.

Yet another reason not to buy Seagate...

[Drakonblayde]

On the other hand, anyone who expects a hard drive in a cheap enclosure that offers network services to have a focus on security is a little whacko. If you're serious about network storage, you buy bare drives and put them in something like a Synology, QNAP, or Drobo. I stopped buying external drives with embedded software that I couldn't wipe awhile ago. RIght now, the only external drives I use are WD Elements because they provide what I'm looking for in an external drive - storage on a USB cable and nothing else

Re: Telnet?!

[cbiltcliffe]

SSH has many advantages besides encryption. Passwordless login, tunnelling, etc.

Thought of purchasing one, thought better

A few weeks ago, thought of purchasing one.

Then, I remembered I had a raspberry pi 2, an old 1tb drive, a usb wireless dongle, and 15 minutes of spare time.

I now have a device running ssh, that I can rsync to properly firewalled, and can act as an ssh proxy.

Raspberry Pi 2: $30 - on sale
Old 1TB Drive : "FREE"
USB to SATA Converter: $5.00 - with sleep mode!
Wireless Dongle : Free
Raspberry Pi Case: $7.99
2.1A Power Supply : Free

NO KNOWN BACKDOORS: PRICELESS
FULL CONTROL OF MY HARDWARE: PRICELESS
FULL CONTROL OF MY DATA: PRICELSS

Re: Telnet?!

[rahvin112]

One of the most important aspects of securing your systems is to layer the security, so that if a zero day is used and the black hat gets access to something they don't automatically get access to everything else. This is simple things like not using the same password on every computer, and even simpler things like not using insecure protocols on your network, even on the internal side.

There is simply no reason whatsoever to use telnet even internally. SSH does everything telnet does, it doesn't cost more, it isn't harder to use, it's not more difficult to deploy and above all it adds an extra layer to the security.

Using telnet, even internally is just bad practice and frankly means you aren't very smart. I agree with the parent poster, using telnet in this day and age should be considered a deliberate malicious act by a manufacturer and an indication of stupidity on the part of any admin.

Re: Telnet?!

[cold+fjord]

On my LAN, I don't need encryption. If the NSA is on my LAN, I've got other things to worry about than just them sniffing on my pr0n.

The problem is that you don't know who else may be on your LAN, or trying to get on it. Even if you think you have nothing of value on your network the computers and associated storage and cpus represent a potentially valuable resource that could be used for many purposes by crackers, spammers, and various criminals. You should really be using a secure protocol of some sort unless your LAN doesn't connect to the internet. Even then you have to ask yourself if you trust all the users on the network?

Re:Wrong response

[AmiMoJo]

Consumer laws need to catch up. This kind of vulnerability should be considered a fatal design defect and result in a recall of the affected products, with a full cash refund.