Severe external drive vulnerability prompts Seagate to issue emergency patch

Seagate has a firmware patch that fixes a serious vulnerability for select versions of the company's wireless external hard drives.
  • Ian Paul (PC World (US online))
  • 08 September, 2015 17:24

Watch out Seagate wireless external hard drive owners—your peripheral may have serious flaws in it that will open your files to malicious attackers. The good news is Seagate has already issued a patch for the problem.

The vulnerabilities primarily affect owners of Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie Fuel devices purchased since October 2014. 

That may not be the end of the trouble, however. The firm that first discovered the flaw says other Seagate products may also be affected. “With products from large vendors such as Seagate, there tend to be numerous product names for basically the same product under the same vendor’s name or another vendor,” Tangible Security said in a blog post. “Tangible Security cannot enumerate all of the named products as well as Seagate. Other named products may be affected.”

The worst flaw is thanks to a hard-coded username and password that gives an attacker access to an undocumented Telnet service. Telnet is a command line method of logging into one computer from another over the Internet or a local network.

If an attacker were to use this flaw they could take control of your external hard drive, grab files from it, and even use the device to launch malicious attacks against others, according to Tangible. Even worse, that hard-coded login is ‘root’ for both the username and password.

If you’re wondering why Seagate’s username and password choice is such a problem, you need this tutorial on how to better manage your passwords

A second flaw allows an attacker unrestricted file download capability when in range of the device’s wireless network. Finally, the third flaw could allow an attacker to upload any file they want to a vulnerable device, including malicious files that could compromise other machines the hard drive is connected to. That last flaw would require someone to open the malicious file first, however.

The impact on you at home: Anyone running a wireless Seagate device with firmware versions or can download a patch directly from Seagate that upgrades you to firmware version If you’re not sure if your drive is affected, go to Seagate’s Download Finder, enter your serial number, and see if an update is available for your device. This is a pretty serious vulnerability that has been public for at least one week. You’ll want to download the patch as soon as possible if your drive is affected.

[via Engadget]