Storage giant Seagate has released an urgent patch to close a major security vulnerability in three of its wireless hard drive products.
Announced publicly earlier this month via the CERT Vulnerability Notes Database
, the security flaw affects three ranges of wireless storage devices from Seagate: the Seagate Wireless Mobile Storage family, the Seagate Wireless Plus Mobile Storage family, and the LaCie FUEL family. In all cases, there are three major flaws: an undocumented, unencrypted Telnet server running by default and using hard-coded default username and passwords, allowing attackers complete access to the devices; the ability for anyone within wireless range to download files from anywhere on the filesystem without authentication; and the ability to overwrite arbitrary files on the system, including executable and system configuration files.
It's an embarrassment for Seagate, made more serious by the nature of the products. Each device is sold as a simple yet secure way of adding additional storage to mobile devices. When active, however, the devices are open to attack from anyone within range of the Wi-Fi signal - making their use anywhere except in a Faraday cage a serious gamble.
The flaws date back to at least October 2014, but were only recently reported to the company. In response, Seagate has released updated firmware for each device which closes the holes. Anyone with a Wireless, Wireless Plus, or LaCie FUEL drive should upgrade to firmware 18.104.22.168 or later in order to keep their systems secure from attack or data theft.