Severe external drive vulnerability prompts Seagate to issue emergency patch

Seagate has a firmware patch that fixes a serious vulnerability for select versions of the company's wireless external hard drives.

Watch out Seagate wireless external hard drive owners—your peripheral may have serious flaws in it that will open your files to malicious attackers. The good news is Seagate has already issued a patch for the problem.

The vulnerabilities primarily affect owners of Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie Fuel devices purchased since October 2014. 

That may not be the end of the trouble, however. The firm that first discovered the flaw says other Seagate products may also be affected. “With products from large vendors such as Seagate, there tend to be numerous product names for basically the same product under the same vendor’s name or another vendor,” Tangible Security said in a blog post. “Tangible Security cannot enumerate all of the named products as well as Seagate. Other named products may be affected.”

The worst flaw is thanks to a hard-coded username and password that gives an attacker access to an undocumented Telnet service. Telnet is a command line method of logging into one computer from another over the Internet or a local network.

If an attacker were to use this flaw they could take control of your external hard drive, grab files from it, and even use the device to launch malicious attacks against others, according to Tangible. Even worse, that hard-coded login is ‘root’ for both the username and password.

If you’re wondering why Seagate’s username and password choice is such a problem, you need this tutorial on how to better manage your passwords

A second flaw allows an attacker unrestricted file download capability when in range of the device’s wireless network. Finally, the third flaw could allow an attacker to upload any file they want to a vulnerable device, including malicious files that could compromise other machines the hard drive is connected to. That last flaw would require someone to open the malicious file first, however.

The impact on you at home: Anyone running a wireless Seagate device with firmware versions or can download a patch directly from Seagate that upgrades you to firmware version If you’re not sure if your drive is affected, go to Seagate’s Download Finder, enter your serial number, and see if an update is available for your device. This is a pretty serious vulnerability that has been public for at least one week. You’ll want to download the patch as soon as possible if your drive is affected.

[via Engadget]

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags storage

More about LaCieSeagateTelnet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Brand Page

Stories by Ian Paul

Latest Videos

More videos

Blog Posts