Wireless NAS or Network Attached Storage drives are a terribly convenient way of practically having your own little cloud, whether at home, at work, or even remotely. Given that they are not usually managed by security experts, they also become ripe targets for hackers. But sometimes, the manufacturers themselves make it almost too easy for criminals. Like some of Seagate‘s NAS devices for example, which can be easily broken into using nothing more than Telnet, a user name of “root”, and a default hardcoded password.
Telnet is one of the Internet’s oldest existing communication protocols. Although it it is still in use in some servers, routers, and wireless equipment, it hasn’t exactly been popular anymore. Which is perhaps Seagate managed to overlook this one critical vulnerability, as discovered by Tangible Security.
Telnet allows users to access a device from another computer, whether through wired or wireless connections. Of course, you’ll need to have proper credentials, like a user name and password pair. Sadly, this vulnerability happens because hackers can simply use the “root” (super user or admin user) name and the default password that is hardcoded into the firmware. With this, hackers can have unfettered access to the user’s files.
But things just get better. There are two other vulnerabilities that give unauthorized access to contents stored on these NAS drives, even without Telnet. One is in the drive’s web app, which doesn’t enforce strict security and can therefore be used by hackers to download files stored on the drives. The other goes in the reverse direction, allowing third parties to upload any file, like malware.
Tangible Security reported the vulnerabilities back in March but it is only now that Seagate is rolling out the firmware patch. Affected models include the Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL, but, as Tangible Security warns, there are products with different names but the same models, which could mean that other devices are affected as well.