Several of Seagate's 3rd generation Wireless Hard drives have a secret backdoor for hackers that puts users' data at risk.
A Recent study done by the security researchers at Tangible Security firm disclosed an “undocumented Telnet services” with a hard-coded password in Seagate Wireless Hard Drives.
The secret Telnet Vulnerability (CVE-2015-2874) with an inbuilt user account (default username and password — "root") allows an attacker to access the device remotely, left users data vulnerable to theft.
According to US-CERT (Computer Emergency and Response Team) public advisory, multiple models of Seagate hard drives contain multiple vulnerabilities.
Affected devices are:
- Seagate Wireless Plus Mobile Storage
- Seagate Wireless Mobile Storage (Wirelessly streaming your tablet and smartphone’s data)
- LaCie FUEL (Wirelessly extending storage for iPads)
The violation that an attacker can activate is, they can gain root access to the device and access the stored data by sitting somewhere at a remote location.
The nature of vulnerabilities are:
- Use of Hard-coded Credentials
- Direct Request ('Forced Browsing’)
- Unrestricted Upload of File with Dangerous Type
The Security Advisory also mentions other vulnerabilities that could allow an attacker to directly download files from anywhere on the file system.
Fortunately, there’s an easy fix. Seagate recommended its affected customers to update the device firmware to version 126.96.36.199 to address these issues.
You can download the latest patched firmware from Seagate's website.