Seagate Technology, the world’s largest storage media maker has issued an emergency patch to all its Seagate wireless external hard drive makers. According to the latest media release, the vulnerability primarily affects owners of Seagate Wireless plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie Fuel Devices purchased since October 2014.
The patch is for the flaw that gives access of hard-coded username and password to the hacker via Telnet service. Telnet is a command line method of logging into one computer from another over the internet or a local network.
If an attacker were to use this flaw they could take control of a user’s external hard drive, grab files from it, and even use the device to launch malicious attacks against others. Even worse, that hard-coded login could act as a ‘root’ for both the username and password.
A second flaw allows an attacker unrestricted file download capability when in range of the device’s wireless network and finally the third flaw could allow an attacker to upload any file they want to a vulnerable device, including malicious files that could compromise other machines the HDD is connected to.
So, anyone running a wireless Seagate device with firmware versions 2.2.0.005 or 2.3.0.014 can download a patch directly from Seagate that upgrades you to firmware version 220.127.116.11.
Those who aren’t sure if their drive is affected, can go to Seagate’s website and enter the serial number, and see if an update is available for their device.
Tangible Security was the security firm which alerted Seagate Wireless Hard drive users about this severe security vulnerability a week ago. And it was happy to hear that Seagate has shown concern about the issue and aptly responded with the right patch.