ZDNet reports details of the vulnerabilities were made publicly available in a security posting today. They were discovered by researchers at Tangible Security who found that three devices — the Seagate Wireless Mobile Storage, Seagate Wireless Plus Mobile Storage and LaCie Fuel — are affected by the issue. Tangible warns that other products may also be based around Seagate’s technology because it is such a large hard drive vendor.
The disclosure covers three distinct flaws in the firmware of the hard drives. When combined, an attacker could effectively gain full access to the device, capable of reading and writing files from the storage when connected wirelessly to the drive.
The researchers found drives running some firmware versions permanently expose undocumented Telnet services that can be accessed by using a default username and password. Telnet is a protocol that allows commands to be executed remotely on devices over a network.
By using Telnet to connect to an affected drive, a hacker could gain control of it using the standard Seagate login details for the “root” username. They would be able to transfer files and run firmware-level operations. A separate vulnerability provides “unrestricted” file downloads, enabling an attacker to access any file on the device.
The final flaw involves an exposure of Seagate’s file upload and media sharing system which would allow attackers to upload compromised files to a drive’s storage. These could then be used to execute further attacks to continue hijacking the drive’s software.
Wireless hard drives have become popular with commuters on the go. They make it easy to store files in one centralised location while accessing them from any mobile device using Wi-Fi and Seagate’s mobile apps. The company is one of the largest mechanical hard drive manufacturers alongside brands like Western Digital.
Seagate has already patched the issues in a firmware update for the affected drives. Owners should ensure that the new version, 3.4.1.105, is downloaded from Seagate’s website to keep their data secure.
Tangible Security warns that people who do not apply the firmware upgrade are exposing themselves to the usual risks associated with cyber-crime. The company has not found any attackers actively exploiting the vulnerabilities in the wild but warns that it is “reasonable to believe” that criminals are doing so because of the nature of the flaws.
