Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Discovered Into Seagate NAS Drives

Posted by samzenpus on from the protect-ya-neck dept.

Mark Wilson writes: If you have not recently updated the firmware for your Seagate wireless NAS drives, now is the time to do so. Researchers at Tangible Security have discovered a series of vulnerabilities in a number of devices produced by Seagate that could allow unauthorized access to files and settings. An undocumented Telnet feature could be used to gain control of the device by using the username 'root' and the hardcoded default password. There are also other vulnerabilities that allow for unauthorized browsing and downloading of files, as well as permitting malicious files to be uploaded. Tangible Security says that Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL drives are affected, but there may also be others. The security issues are confirmed to exist with firmware versions 2.2.0.005 to 2.3.0.014.

26 of 121 comments (clear)

  1. Backdoor Discovered Into Seagate NAS Drives by nickweller · · Score: 4, Interesting

    Who wrote the code. What explanation do they have for inserting such features in a supposedly secure storage device. Is there a more sinister explanation for this?

    1. Re:Backdoor Discovered Into Seagate NAS Drives by nickweller · · Score: 2

      @Anonymous Coward: "Perhaps an early feature that was dropped but never removed from the code?

      Who was it tested the device for security vulnerabilities before releasing to market. They did run some tests - didn't they?

    2. Re:Backdoor Discovered Into Seagate NAS Drives by dinfinity · · Score: 2

      The title is pretty clear about it: It was just discovered into the drives by Tangible Security.

    3. Re:Backdoor Discovered Into Seagate NAS Drives by Tokolosh · · Score: 2

      "Never attribute to malice that which is adequately explained by stupidity."

      Unfortunately, the explanation is not adequate.

      --
      Prove anything by multiplying Huge Number times Tiny Number
    4. Re:Backdoor Discovered Into Seagate NAS Drives by AmiMoJo · · Score: 4, Informative

      As much as I love a good NSA/GCHQ conspiracy theory, I think this one is most likely just incompetence. Their NAS boxes run Linux, and telnet is really useful for debugging headless machines during development. Someone either forgot to turn it off before shipping or just assumed that because they changed the default port no-one would find it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  2. Let me guess by Anonymous Coward · · Score: 4, Informative

    Closed-source firmware?

    1. Re:Let me guess by grumbel · · Score: 2

      Differences when compiled can be shrugged off as different compiler versions.

      Yep, and it's not just different compilers, time stamps, compile order on parallel builds, the order of files in the filesystems, install path, compile flags, etc. will all change the resulting binary. Reproducible builds just hasn't been a thing in Free Software community and only very recently did Debian start work on ensuring that their binaries are byte-for-byte reproducible, but that's of course just Debian, we are still far far away from having reproducible builds be the default way how Free Software binaries are distributed.

    2. Re:Let me guess by TheRaven64 · · Score: 2

      but that's of course just Debian

      Actually, it isn't. The Linux Foundation is funding the effort, and it's mostly Debian people leading it, but they're working on a variety of projects (including FreeBSD!), not just Debian.

      --
      I am TheRaven on Soylent News
  3. My gosh by execthis · · Score: 4, Funny

    My gosh, you would think in this day and age that firmware developers would know better than this. Hard-coded telnet passwords? Seriously?

  4. Telnet?! by maugle · · Score: 4, Funny

    Seriously, who uses telnet instead of ssh in this day and age? I think we're at the point where including telnet - even optionally - in any Internet-facing device should be classified as a malicious act.

    1. Re: Telnet?! by x0ra · · Score: 2

      On my LAN, I don't need encryption. If the NSA is on my LAN, I've got other things to worry about than just them sniffing on my pr0n.

    2. Re: Telnet?! by cbiltcliffe · · Score: 3, Insightful

      SSH has many advantages besides encryption. Passwordless login, tunnelling, etc.

      --
      "City hall" in German is "Rathaus" Kinda explains a few things......
    3. Re: Telnet?! by Antique+Geekmeister · · Score: 2

      Much of that delay is the reverse DNS done by the remote SSH daemon, especially when the reverse DNS is unavailable. Turn that off, especially for wandering sftp clients or git access, and you'll profoundly improve initial connection time.

    4. Re: Telnet?! by rahvin112 · · Score: 3, Insightful

      One of the most important aspects of securing your systems is to layer the security, so that if a zero day is used and the black hat gets access to something they don't automatically get access to everything else. This is simple things like not using the same password on every computer, and even simpler things like not using insecure protocols on your network, even on the internal side.

      There is simply no reason whatsoever to use telnet even internally. SSH does everything telnet does, it doesn't cost more, it isn't harder to use, it's not more difficult to deploy and above all it adds an extra layer to the security.

      Using telnet, even internally is just bad practice and frankly means you aren't very smart. I agree with the parent poster, using telnet in this day and age should be considered a deliberate malicious act by a manufacturer and an indication of stupidity on the part of any admin.

    5. Re: Telnet?! by rahvin112 · · Score: 2

      AES instructions are included by default in almost every single processor produced in the last 5 years. The only CPU without "the cycles" to run SSH is going to be the smallest oldest industrial control you've never seen.

      There is no valid reason for not using SSH on any product that can install it. I doubt you could find a single product that would struggle with SSH encryption, even in the lowest end ARM or MIPS processors.

  5. Wrong response by Anonymous Coward · · Score: 5, Informative

    When a company's firmware is backdoored, you don't just download the patch and hope they won't do it again. You buy from somewhere else.

    1. Re:Wrong response by Anonymous Coward · · Score: 2, Informative

      Did you miss the part where it was a HARDCODED password? That user account and default password will always work, even if you think you've changed it, or if you think the account doesn't exist at all.

    2. Re:Wrong response by AmiMoJo · · Score: 3, Insightful

      Consumer laws need to catch up. This kind of vulnerability should be considered a fatal design defect and result in a recall of the affected products, with a full cash refund.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  6. Mix-match vendors and layer your security by rtkluttz · · Score: 3, Interesting

    Its pretty much come down to the fact that all corporations are working against the consumers. The best we can hope for is to mix and match vendors and layer our security and don't use cloud based shit. Use open source firewalls and control your outbound ports not just incoming ports.

    Stop trusting these dickheads people.

    --
    Digital is, by definition, imperfect. Analog is the way to go.
  7. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  8. Yet another reason not to buy Seagate... by Drakonblayde · · Score: 5, Insightful

    On the other hand, anyone who expects a hard drive in a cheap enclosure that offers network services to have a focus on security is a little whacko. If you're serious about network storage, you buy bare drives and put them in something like a Synology, QNAP, or Drobo. I stopped buying external drives with embedded software that I couldn't wipe awhile ago. RIght now, the only external drives I use are WD Elements because they provide what I'm looking for in an external drive - storage on a USB cable and nothing else

    1. Re:Yet another reason not to buy Seagate... by Anonymous Coward · · Score: 2, Interesting

      If you're serious about network storage, you build a FreeNAS server with server parts including ECC RAM and multiple NICs teamed together. You fill it up with WD Red Pro drives or another drive that has appropriate TLER settings for NAS usage. You also plug it into a decent UPS ($300+ true sine wave unit).

      In no universe are Synology, QNAP or Drobo anything more than consumer toys.

  9. Hilarious extract from website by Tokolosh · · Score: 3, Funny

    From CERT website, with prominent NSA logo (https://www.kb.cert.org/vuls/id/903500):

    "Tangible Security would also like to publically thank Seagate for their cooperation and desire to make their products and customers more secure."

    --
    Prove anything by multiplying Huge Number times Tiny Number
  10. NAS is a fad anyways by buckfeta2014 · · Score: 2

    The only difference between a file server and a NAS is the ridiculously bad CPU and slow, clunky software it's packed with. If you really want a file server, just grab a random linux distro and install it on a PC with a lot of disks.

    --
    Buck Feta. You know what to do.
  11. Thought of purchasing one, thought better by Anonymous Coward · · Score: 2, Insightful

    A few weeks ago, thought of purchasing one.

    Then, I remembered I had a raspberry pi 2, an old 1tb drive, a usb wireless dongle, and 15 minutes of spare time.

    I now have a device running ssh, that I can rsync to properly firewalled, and can act as an ssh proxy.

    Raspberry Pi 2: $30 - on sale
    Old 1TB Drive : "FREE"
    USB to SATA Converter: $5.00 - with sleep mode!
    Wireless Dongle : Free
    Raspberry Pi Case: $7.99
    2.1A Power Supply : Free

    NO KNOWN BACKDOORS: PRICELESS
    FULL CONTROL OF MY HARDWARE: PRICELESS
    FULL CONTROL OF MY DATA: PRICELSS

  12. Not a backdoor by javispedro · · Score: 5, Informative
    This is not a backdoor.
    • It is not undocumented. It uses Arago, an actually open GNU/Linux distribution as firmware (so it is more open source than your average android device!), and the ability to root it via telnet has been available since day 1, with a widely known password.
    • It is not remote, since to access it you need to join the NAS WLAN, and for that you need to passphrase created by the user. If you've managed to guess the passphrase/break that layer, then you've already crossed the airtight hatchway: at that point you can already view all the files on the disk, install adware, viruses, etc.
    • This was being used by plenty of people to install custom Linux distributions such as Debian or Arch on relatively inexpensive hardware. There's even a user focused distribution for the device

    Basically, another group of security ``researchers'' (use of quotes intentional) manage to force a company making a relatively open embedded product to close it down for tinkerers, while not improving the security of the product at all.

    I hate this world.