A recently discovered vulnerability reportedly puts quite a few Seagate hard drives at the risk of data theft, the vulnerability is described as an undocumented in-built user account which could allow an attacker to gain remote access to the device. According to a public advisory this is just one of the many flaws that were discovered in three wireless hard drives manufactured by Seagate.
“Seagate wireless hard-drives provides undocumented Telnet services accessible by using the default credentials of ‘root’ as username and the default password,” says the public advisory. The advisory also mentions other flaws which can allow an attacker to directly download files from anywhere on the file system.
Affected hard drives include Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage and the LaCie Fuel hard drives. These flaws have been discovered by security firm Tangible Security and they are said to go back to October 2014 affecting firmware versions 2.2.0.005 and 2.3.0.014.
Fortunately there’s an easy fix, the affected devices only need to be updated to the latest firmware to patch these security vulnerabilities, but Seagate did take flak for this. Well known security researcher Kenn White tweeted the following: “People don’t expect DOD-level security but, Seagate, please stop adding hidden hardcoded root logins to hard drives.”
Seagate has not yet commented on the matter.