Slashdot Mirror

← Back to Stories (view on slashdot.org)

Buggy Software in Popular Connected Storage Drives Can Let Hackers Read Private Data (techcrunch.com)

Posted by msmash on from the security-woes dept.

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user's private and sensitive data. From a report: The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested -- NetGear Stora, Seagate Home and Medion LifeCloud -- can allow an attacker to remotely read, change and delete data without requiring a password. Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies -- including PHP -- to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as "root" -- the built-in user account with the highest level of access -- making the data on the device vulnerable to prying eyes or destruction.

44 comments

  1. Blah by Anonymous Coward · · Score: 0

    Putting one part of your computer online puts the whole computer online.

    1. Re:Blah by HarrySquatter · · Score: 1

      Well at least the hackers aren't turning them into bombs.

      https://media-wired-com.cdn.am...

    2. Re: Blah by jd · · Score: 1

      You say that, but to what extent is it true?

      Let's take the hypothetical scenario - you've an A1+ OB-rated computer with hardware-enforced memory segmentation and memory security labelling, and network security labelling. There's no root and everything is by mandatory access control.

      Let's say the firewall has been set to block all incoming connections.

      The computer is online, but in what sense is all of it online? How do you propose to hack the hard drive of such a machine?

      The problem with simplistic descriptions is that they lead to naive optimism or naive conservatism.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    3. Re: Blah by Anonymous Coward · · Score: 0

      Cool, so we all need $30,000 computers. And a firewall????
      Not practical at all.

    4. Re:Blah by Anonymous Coward · · Score: 0

      What is point of putting parts of computer on line?

      I tried putting parts of computer on washing line.
      Then rain comes and cleans all parts

      It is good way to clean parts but other than that, what is point?
      easier way to blow out computer is by leaving it near tornado,
      only problem finding computer again afterwards,
      though easily fixed with sturdy chain and anchor :-D
      caption : verify

    5. Re: Blah by Anonymous Coward · · Score: 0

      Just don't let creimer into your all-you-can-eat buffet. He'll eat you out of house and home.

    6. Re:Blah by omnichad · · Score: 2

      This is basically a single-drive NAS that has a way to log in and access your files when away from home. Sort of like Dropbox in a way, but with apparently terrible security.

    7. Re: Blah by Anonymous Coward · · Score: 0

      I would hack it by exploiting a weakness on the non/lower certified firewall hardware, bypassing those restrictions, man in the middling it for credentials and then logging in as a fully authorized user. None of which appears in the logs improperly in the A1 O wow super duper certified box.

      Unless your entire network, from every leaf to every root, at every fork in every branch is secure, I can get in/out or around it. Running Intel firmware? Owned. Running Cisco backdoored master password gear? Owned. Much less the lesser known exploits. Like the JQuery one just announced that has been in use for at least three years.

      I have a couple frameworks of my own out there, on tens of thousands of servers. May e it is secure. Maybe it is vulnerable to an overflown/miscast that results in an odd bitshift that executes as admin locally. You don't know. You assume someone would have found it. Just like you may have assumed JQuery, with millions of users, was secure.

    8. Re: Blah by jd · · Score: 1

      No reason why it would cost that, but blanket statements don't come with an implicit upper bound. If you want claim "for all", you'd best either state range or be damn sure I can't provide an existence proof for an exception.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    9. Re: Blah by jd · · Score: 1

      Won't work.

      First, the firewall is set to block all incoming connections. Makes it impossible to break into, since you can't connect to it.

      Second, security labeling means even if you got into the firewall, the firewall can't generate any packets the machine would accept.

      Third, because incoming connections are blocked, there are no credentials to intercept.

      It doesn't matter what you can get around, it matters only if there's a vector that runs from where you start to where you want to end. No complete path, no luck. No matter what you can work around.

      You don't know if your frameworks are secure? You've never looked at, oh, validating the code? Give you some suggestions.

      First, look up CERT Secure Programming. Then look up NASA's Power of Ten. If you're using interacting threads, learn about Pi calculus. Splint is not terribly good, better static checkers are out there - some built into LLVM. You won't use all of these, but that's unimportant.

      If you code is:
      1) Easy to read
      2) Free of defective underlying functions
      3) Free of known standard coding errors
      4) An implementation of a validated state machine
      5) Properly tested at unit and integrated levels
      6) Tested against linguistic anomalies (such as injectable escape codes and terminators)

      Then you can be confident that the defect density is very low indeed. If you choose not to be, that's your problem.

      If you want to increase confidence further, you want to make sure:
      A) Test harnesses are developed prior to implementation
      B) Additional theorems are developed about how the code operates
      C) Everything is properly encapsulated and isolated under minimum privilege doctrine
      D) One module does one thing and does it well (UNIX doctrine)

      The point of C is that even if a bug exists, it simply doesn't matter. Either it can't be reached or you can't get anywhere from it. You cannot prove a program 100% correct, but you don't have to. You only have to prove that any remaining defects are disjoint.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  2. This Just IN by Anonymous Coward · · Score: 0

    Thieves
    can
    enter
    houses,
    cars,
    and
    other
    buildings
    when
    doors
    are
    left
    open.

    News at Eleven !

    capthingy : purports

    1. Re: This Just IN by jd · · Score: 1

      What if it's a house on top of K2, with the entrance on the roof reachable only by a deadly maze?

      I'd have thought you could leave the front door wide open.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    2. Re: This Just IN by Anonymous Coward · · Score: 0

      If your home is on top of a mountain like K2, no matter how deadly a maize you engineer the cold will kill it, making the corn useless as a guard.

      Also, high altitude helicopters and sky divers can still easily access it. As can 1980's He-man with his Attack -Trak

  3. Really? by 110010001000 · · Score: 1

    You mean cheap software written in PHP is insecure?

    1. Re: Really? by Anonymous Coward · · Score: 0

      What kind of story is this on slashdot... âoerootâ who ever put that in quotes needs to be demoted to operator

    2. Re:Really? by Anonymous Coward · · Score: 0

      I was going to say the same thing.

      Let's chant:

      PHP IS INSECURE
      PHP IS INSECURE
      PHP IS INSECURE

      (sorry for shouting, but apparently the world doesn't get it otherwise)

      We should outlaw the PHP language.

    3. Re:Really? by UnknownSoldier · · Score: 1

      Well PHP does stand for PHucked uP =P

      /me ducks

      (Lighten up, it was a joke)

  4. I have a solution for this... apk by Anonymous Coward · · Score: 0

    I install my hosts file and then I shove the storage device up my ass, it keeps hackers away.

    APK

    1. Re:I have a solution for this... apk by Anonymous Coward · · Score: 0

      Fake APK detected.
      We all know that the only things APK shoves up his ass is his own fist and his roommate's dick.

  5. Axentra -- WTF? by hduff · · Score: 2

    So it seems like it's up to Axentra to fix their poorly coded Piece Of Shit? But do they really even care?

    This kind of sloppy programming needs to come with easy-to-litigate civil remedie$ and then maybe it will stop.

    --
    "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
    1. Re:Axentra -- WTF? by hduff · · Score: 0

      Mr. Eric Lefebvre is the Co-Founder of Axentra,
      283 Dalhousie Street
      Suite 300
      Ottawa, ON K1N 7E5
      Canada
      Phone: 613-627-1250
      Perhaps he would like to respond to this disclosure of such poor security practices?

      --
      "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
    2. Re:Axentra -- WTF? by grep+-v+'.*'+* · · Score: 2

      and then maybe it will stop.

      Naaaaa -- don't you know, it's like the CLOUD baby, where everything goes and you push responsibility as far as you can and then right out the window. There's NO problems at all that an online contract or ROM update won't fix. And of course with surface mount chips, unfixable hardware, and no one ever reading the legals, they'll have to buy your *next* product with it's OWN new problems.

      Planned Obsolescence? That's so 1990s. Now they need to pay you for your new product while the old one's still working! It's a joy to behold! Catch up with the times already baby; the Good Times are Here!

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    3. Re:Axentra -- WTF? by RockDoctor · · Score: 1

      This kind of sloppy programming needs to come with easy-to-litigate civil remedie$ and then maybe it will stop.Didn't you read the fucking software agreement before using it? The bit that disclaimed it's fitness for any particular purpose, and limited all liability to the sale value of the software. At least, that's how I read typical EULAs.

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  6. Fuck it, I'm blaming the victims here by Anonymous Coward · · Score: 0

    What kind of world class fucking moron do you have to be to buy internet connected storage or cloud managed anything. They're the first features I look for on any new purchases so I know to avoid them and I recommend the same to all my friends and family when they come asking for advice. It's like installing a human-shaped doggy door for fuck's sake.

    1. Re: Fuck it, I'm blaming the victims here by Anonymous Coward · · Score: 0

      Yeah, seriously what is so hard or inconvenient about flash drives?
      Or how about getting that drive but not installing the shitty software it comes with?

    2. Re:Fuck it, I'm blaming the victims here by ole_timer · · Score: 1

      +1

      --
      nothing to see here - move along
    3. Re: Fuck it, I'm blaming the victims here by jd · · Score: 1

      I would imagine an Internet-connected router could be handy. NAS and SAN drives are, by their nature, capable of being on the Internet.

      However, anyone buying a networked appliance should be a fully-qualified firewall admin, and the cloud should really be evaporated.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    4. Re:Fuck it, I'm blaming the victims here by ctilsie242 · · Score: 2

      There are some quality devices. Synology and QNAP NAS models have solid security, and if you need to add stuff like fail2ban, borg backup, gpg, or other items, that is easily accomplished.

      You can have a NAS that is secure enough to sit on a public IP space (not sure why you want to), and be resistant to attack, provided you limit the IP space, enable 2FA, SSH RSA keys, and keep good backups.

      Secure NAS products are out there... it is just that some companies just don't seem to care enough about making a securable device.

  7. "root"? by mckwant · · Score: 1

    Somebody felt the need to explain the notion of the root user? On /.?

    Goodness.

    --
    ceci n'est pas un sig.
    1. Re:"root"? by Anonymous Coward · · Score: 0

      It's called "newfag summer." You'd be amazed at how dumb new Slashdotters have become.

    2. Re:"root"? by HarrySquatter · · Score: 1

      The part explaining root was just a quote from the original article.

    3. Re: "root"? by jd · · Score: 2

      Well, the better users have the issue of LJ that describes how to remove root from Linux. That, together with cgroups, means some are forgetting about such archaic notions.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  8. The Problem by Anonymous Coward · · Score: 0

    PHP.

    That is all.

    1. Re: The Problem by Anonymous Coward · · Score: 0

      Bad programmers write exploits in any language.

      Besides how many exploits did C have in its 30 years?

      But keep blaming the tools, that's what a good programmer does. It's never their fault. /s

  9. Internet connected storage is a bad idea by Anonymous Coward · · Score: 0

    Internet connected storage is a bad idea if you aren't an IT-Pro.

    If you don't have to open an inbound port and it doesn't use sftp or a full VPN, then don't use it. Just don't.

    If it used a password, don't.
    If it uses ssh-keys, then maybe, but you really want a full VPN that was setup by your IT friend using openvpn or IPSec.

    That applies to Owncloud/Nextcloud, plain FTP, webdav or any access you access using some "app" from the vendor.

    Just sayin'. Don't be stupid.
    Don't trust storage connected to a router.
    Don't trust "network storage" that is available over the internet using some 3rd party URL.
    Don't be stupid.

    Home security systems fall into this too. Any camera that is available over the internet using an "app" is a bad idea.

  10. Re: c6gunner needs to STOP IMPERSONATING ME... apk by Anonymous Coward · · Score: 0

    Do you really have a greased up yoda doll shoved up your ass?

  11. What is this "Root" by Highdude702 · · Score: 1

    Why would anybody ever have a hard coded admin account?!? That is unbelievable. That is why Linux sucks so bad it has hard coded backdoor accounts! I'm so glad I use BeOS, I don't have to worry about hackers!

  12. Stop buying crap. by Anonymous Coward · · Score: 0

    This is why you stick with companies like QNAP and Synology with a track record of quality products and actually supporting them. Those "NAS" devices being sold by hard drive manufacturers are just garbage hardware farmed out to the lowest bidder in china and the software from some sweatshop in India

  13. CVE-2018-18471 and CVE-2018-18472 not at MITRE.ORG by Swave+An+deBwoner · · Score: 1

    From the "Wizcase" article:

    Both the vulnerabilities (dubbed CVE-2018-18472 and CVE-2018-18471) remain unpatched at the time of this publication.

    But CVE-2018-18471 and CVE-2018-18472 are not listed at mitre.org or the NIST database:

    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18471
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18472

  14. Mr. Impersonator of me: Still sore? by Anonymous Coward · · Score: 0

    Mr. Impersonator of me: Still buttsore from an ASS-KICKING I gave you here https://tech.slashdot.org/comm... & https://tech.slashdot.org/comm... + https://tech.slashdot.org/comm... on hosts files?

    YES, obviously - lol, your "effete revenge" was DOWNMODS I ran you DRY of as always!

    After you tried VAINLY to "downmod" HIDE all of that here & UNDENIABLE https://tech.slashdot.org/comm... LITERALLY (I just reposted to NULLIFY your 'wannabe weapon' NEUTRALIZING it & EXPOSING YOU LOSING to me, lol!).

    APK

    P.S.=> I love it - especially seeing u REDUCED to TRYING to LIE about me (or LIBEL me) as you IMPERSONATE me (proving you WISH you were me, but you're INFERIOR imitation (& just plain INFERIOR on ALL levels))... apk

  15. it wuz haxx0rz! by Anonymous Coward · · Score: 0

    msmash still not k-rad, news at 11.

  16. c6gunner IMPERSONATING me again? by Anonymous Coward · · Score: 0

    See subject: his FAKEname on a post impersonating me https://linux.slashdot.org/com... & altering /.er's words.

    c6gunner tried to mock me 1st https://linux.slashdot.org/com...

    So I challenge c6gunner to show he did better work than mine & he CAN'T!

    YOU DEMAND PROOF of others here?

    "I've yet to see you provide any evidence of that." by c6gunner on Monday March 15, 2010 @10:02PM (#31490942) ?

    So now I DEMAND IT OF YOU & YOU FAIL!

    c6gunner = "Run, Forrest: RUN!!!

    * c6gunner's LYING saying I did a MacOS X one - I haven't yet & c6gunner's LYING impersonating me saying hosts work vs. Intel CPU issues (spectre/meltdown).

    APK

    P.S.=> You say hosts = shit here https://slashdot.org/comments.... ?

    FACTS: /.ers & security pros + RESULTS say DIFFERENT:

    1st: /.ers https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments.... https://slashdot.org/comments....

    2nd: SECURITY PROS https://slashdot.org/comments....

    3rd: REAL RESULTS w/ hosts vs. threats https://slashdot.org/comments....

    EAT YOUR WORDS!

  17. Re: c6gunner needs to STOP IMPERSONATING ME... ap by Anonymous Coward · · Score: 0

    Yea. It's how I got the inspiration to write the host file for Mac.