Slashdot Mirror

← Back to Stories (view on slashdot.org)

Buggy Software in Popular Connected Storage Drives Can Let Hackers Read Private Data (techcrunch.com)

Posted by msmash on from the security-woes dept.

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user's private and sensitive data. From a report: The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested -- NetGear Stora, Seagate Home and Medion LifeCloud -- can allow an attacker to remotely read, change and delete data without requiring a password. Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies -- including PHP -- to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as "root" -- the built-in user account with the highest level of access -- making the data on the device vulnerable to prying eyes or destruction.

5 of 44 comments (clear)

  1. Axentra -- WTF? by hduff · · Score: 2

    So it seems like it's up to Axentra to fix their poorly coded Piece Of Shit? But do they really even care?

    This kind of sloppy programming needs to come with easy-to-litigate civil remedie$ and then maybe it will stop.

    --
    "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
    1. Re:Axentra -- WTF? by grep+-v+'.*'+* · · Score: 2

      and then maybe it will stop.

      Naaaaa -- don't you know, it's like the CLOUD baby, where everything goes and you push responsibility as far as you can and then right out the window. There's NO problems at all that an online contract or ROM update won't fix. And of course with surface mount chips, unfixable hardware, and no one ever reading the legals, they'll have to buy your *next* product with it's OWN new problems.

      Planned Obsolescence? That's so 1990s. Now they need to pay you for your new product while the old one's still working! It's a joy to behold! Catch up with the times already baby; the Good Times are Here!

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  2. Re: "root"? by jd · · Score: 2

    Well, the better users have the issue of LJ that describes how to remove root from Linux. That, together with cgroups, means some are forgetting about such archaic notions.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  3. Re:Fuck it, I'm blaming the victims here by ctilsie242 · · Score: 2

    There are some quality devices. Synology and QNAP NAS models have solid security, and if you need to add stuff like fail2ban, borg backup, gpg, or other items, that is easily accomplished.

    You can have a NAS that is secure enough to sit on a public IP space (not sure why you want to), and be resistant to attack, provided you limit the IP space, enable 2FA, SSH RSA keys, and keep good backups.

    Secure NAS products are out there... it is just that some companies just don't seem to care enough about making a securable device.

  4. Re:Blah by omnichad · · Score: 2

    This is basically a single-drive NAS that has a way to log in and access your files when away from home. Sort of like Dropbox in a way, but with apparently terrible security.