Seagate Hard Drives Shipped With Security Flaw

Wireless hard drives from Seagate vulnerable to attack due to default password vulnerability, researchers discover

A security vulnerability has been found on Seagate wireless hard drives that could hand attackers root access to the device just by entering a default username and password.

The flaw, which affects Seagate Wireless Mobile storage, Wireless Plus Mobile Storage and LaCie FUEL drives manufactured from last October onwards, is cracked open by using ‘root’ as both the username and password.

Telnet access

“Seagate wireless hard-drives provides undocumented Telnet services accessible by using theonline security default credentials of ‘root’ as username and the default password,” explained the CERT.org researchers.

“A remote unauthenticated attacker may access arbitrary files on the hard drive, or gain root access to the device.”

In a statement to media, Seagate said: “Seagate was made aware of vulnerabilities in its consumer based wireless hard drives. Seagate has patched the vulnerabilities and issued a firmware update that is available to customers on Seagate.com and through a link on the CERT notification. The firmware update addresses all security concerns with these vulnerabilities.”

Affected users are being urged to update their hard drives as soon as possible with firmware 3.4.1.105.

Earlier this week, security researchers uncovered flaws in a number of leading security products including those from Kaspersky and FireEye.

The affected products involve zero-day vulnerabilities that put users’ private data at risk, reported the IBTimes.

FireEye’s security product was apparently hacked by Los Angeles-based researcher Kristian Erik Hermansen, who revealed on Twitter that he had found ‘at least four’ security flaws in the company’s core product.

Hermansen said that he has sat on one of the flaws for more than 18 months without a fix from FireEye.

“Why would you trust these people to have this device on your network,” said Hermansen when he disclosed the vulnerabilities on Pastebin and Exploit-DB.