Lenovo patches Iomega NASes for data breach flaw

Lenovo has warned users of selected models of its network attached storage (NAS) products their files may be exposed to the internet without authentication, advising those affected to upgrade to a newer firmware to resolve the problem.

Network attached storage (NAS) devices are incredibly useful things: Effectively miniature servers, they accept one or more hard drives - or come with drives pre-loaded - and allow users to share files between multiple machines on a network. Many also include the ability to access files from outside the local network, such as from a laptop in a coffee shop, which is a fine feature to have so long as external access is protected via cryptography and authentication.

Sadly for users of some Lenovo NAS devices, that turns out to have not been the case. Security firm Vertical Structure alerted the company to a flaw in its products in autumn last year, finding millions of files being shared indiscriminately by Lenovo NAS units totalling around 36TB of data - including financial information, expenses claims, tax returns, and bank data. The company contacted fellow security firm WhiteHat, and jointly alerted Lenovo - which has been praised for issuing firmware updates to fix the flaw despite three of the affected software versions having long been retired.

In its own security alert, Lenovo names the affected NAS products as: Home Network Media Hard Drive (HMNHD) Cloud Edition, Iomega StorCenter PX12-350R, IX12-300R, IX2-200 regular and Cloud Edition, IX4-200D regular and Cloud Edition, and IX4-200RL. In all cases, the products were sold under the Iomega brand - acquired by EMC back in 2008 then spun out into a joint venture with Lenovo in December 2012, with the brand focusing on low-end products.

Those with an affected NAS can find firmware updates on Lenovo's website; if the firmware cannot be updated for any reason, Lenovo advises that partial protection is available by removing public shares and ensuring that the NAS units are accessible only on trusted networks.