Seagate drives at risk of data theft over hidden backdoor
Security researchers have discovered three severe vulnerabilities in the firmware of three Seagate wireless hard drives product lines. The security researchers discovered that below listed Seagate hard drives which have firmware versions between 2.2.0.005 and 2.3.0.014 contain these vulnerabilities.
The three affected Seagate hard drive products are
Seagate Wireless Mobile Storage
Seagate Wireless Plus Mobile Storage.
Mike Baucom, Allen Harper, and J. Rach, all security researchers for Tangible Security made the discovery which if exploited can let hackers take complete control of the device storage products and the files stored on it.
The first security vulnerability has been assigned CVE-2015-2874 relates to the Seagate hard drive’s design. In default configurations, the same default admin password used to configure the device, can also be used via Telnet, together with the root username.
If exploited by hackers, the vulnerability allows them to gain access to the Telnet root account and sub-sequentially get control over the hard drive itself, along with all the files stored inside it.
The second and third vulnerabilities which have been assigned CVE-2015-2875 and CVE-2015-2876 respectively, can be exploited when the hard drive again uses the default configuration.
However in these vulnerabilities the hacker can exploit the hard drives wireless to hack and gain unrestricted download and upload capabilities to the device.
The researchers said that they had informed Seagate about all the three vulnerabilities and Seagate is issuing firmware update to fix these issues. The researchers said that users who use the above Seagate hard drives can either wait for Seagate firmware update or patch it with Samsung’s 220.127.116.11 firmware update.
Hard-coded credentials are used by manufacturers to configure the devices before they are shipped, however it is necessary to fix those default settings so that they wont be exploited by cyber criminals. Security researcher Kenn White, criticized the company in a tweet on Sunday for the root logins.
People don't expect DOD-level security but, Seagate, please stop adding hidden hardcoded root logins to hard drives.https://t.co/SmoVTaaJaV
— Kenn White (@kennwhite) September 6, 2015
“People don’t expect DOD-level security but, Seagate, please stop adding hidden hardcoded root logins to hard drives,” White wrote.
Seagate hasnt responded to the vulnerabilities.