Backdoor Discovered Into Seagate NAS Drives 121
Mark Wilson writes: If you have not recently updated the firmware for your Seagate wireless NAS drives, now is the time to do so. Researchers at Tangible Security have discovered a series of vulnerabilities in a number of devices produced by Seagate that could allow unauthorized access to files and settings. An undocumented Telnet feature could be used to gain control of the device by using the username 'root' and the hardcoded default password. There are also other vulnerabilities that allow for unauthorized browsing and downloading of files, as well as permitting malicious files to be uploaded. Tangible Security says that Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL drives are affected, but there may also be others. The security issues are confirmed to exist with firmware versions 2.2.0.005 to 2.3.0.014.
Backdoor Discovered Into Seagate NAS Drives (Score:5, Interesting)
Re: (Score:1)
I have seen it all happening, more than
Re: (Score:1)
Who wrote the code. What explanation do they have for inserting such features in a supposedly secure storage device. Is there a more sinister explanation for this?
Apparently never heard of MHDD http://hddguru.com/software/20... [hddguru.com] (it's grown - used to be a hobbyist site, now much more professional). I've used it to gain access to drives using default passwords, excellent tool for "talking" to your hard drives, and fixing what's wrong.
Re: (Score:1)
Easily reinstall the OS if it gets hosed, like most routers have? Perhaps an early feature that was dropped but never removed from the code?
Not everything is some great conspiracy to give the government all of your files so they can forward them to out alien reptile overlords. In fact, nearly nothing is.
Re: (Score:3)
Who was it tested the device for security vulnerabilities before releasing to market. They did run some tests - didn't they?
Re: (Score:3)
The title is pretty clear about it: It was just discovered into the drives by Tangible Security.
Re: (Score:2)
Indeed. Can we discover the discoverers into jail already?
Re: (Score:3)
"Never attribute to malice that which is adequately explained by stupidity."
Unfortunately, the explanation is not adequate.
made in... (Score:2)
Re:Backdoor Discovered Into Seagate NAS Drives (Score:5, Informative)
As much as I love a good NSA/GCHQ conspiracy theory, I think this one is most likely just incompetence. Their NAS boxes run Linux, and telnet is really useful for debugging headless machines during development. Someone either forgot to turn it off before shipping or just assumed that because they changed the default port no-one would find it.
Re: (Score:2)
Re: (Score:2)
It's a wireless NAS - it's insecure in it's very conception, as well as insane.
OK, slightly less insane - with capacities limited to 500GB, they're only going to take a day or so to fill or empty, depending on how much other traffic you have on your WiFi network. But for fucks sake, if you're going to spend even a femtosecond on thinking about security, then you're going to dump the WiFi for wired.
Undocumented Telnet Commands (Score:1)
You can find information on undocumented Telnet Commands and tidbits on Seagate drives at http://webcache.googleusercont... [googleusercontent.com]
Let me guess (Score:4, Informative)
Closed-source firmware?
Re: (Score:1)
Doesn't matter. How many people verify the firmware on their products match the open source version? Differences when compiled can be shrugged off as different compiler versions. You'd have to verify every instruction. For the people who reflash their devices? So what? Now they simply don't have the back door. It's unlikely to matter and almost everyone won't do it.
Open source vs closed source means nothing if no one is watching very closely. How much OSS is managed by one or two people? I'd guess
Re: (Score:3)
Differences when compiled can be shrugged off as different compiler versions.
Yep, and it's not just different compilers, time stamps, compile order on parallel builds, the order of files in the filesystems, install path, compile flags, etc. will all change the resulting binary. Reproducible builds just hasn't been a thing in Free Software community and only very recently did Debian start work on ensuring that their binaries are byte-for-byte reproducible, but that's of course just Debian, we are still far far away from having reproducible builds be the default way how Free Software
Re: (Score:3)
but that's of course just Debian
Actually, it isn't. The Linux Foundation is funding the effort, and it's mostly Debian people leading it, but they're working on a variety of projects (including FreeBSD!), not just Debian.
My gosh (Score:5, Funny)
My gosh, you would think in this day and age that firmware developers would know better than this. Hard-coded telnet passwords? Seriously?
Re: (Score:1)
1) You think developers make those decisions?
2) You think that developers hired to write the firmware are of highest quality paid competative salaries and not the shittiest cheapest ones that can do the job so that product runs?
Re: (Score:2, Interesting)
Adding encryption means you can't export them to "non-approved" countries, and raises a great number of hoops to be able to export the product at all..
https://en.wikipedia.org/wiki/... [wikipedia.org]
Also, encryption algorithms take more space in the very limited space on firmware and small controller chipsets.
Re: (Score:1)
Also, encryption algorithms take more space in the very limited space on firmware and small controller chipsets.
Ye Olde pogoplug has ssh, it's not a very high bar. And that's what I use for my NAS functionality; a series 4 (IIRC) pogoplug, the kind with 2xUSB3 and 1xSATA, running Debian. They cost twenty bucks and use approximately no power...
Re: This never would happen with APPS! (Score:1)
Use the WD or Seagate flavor with or without apps, instruct the router not to let them off the local network and use a vpn to connect to the local network -ãNAS drive if / when needed. Problem alleviated.
No excuse for a hardcoded backdoor, but should solve any security threat it generates. As an additional measure, encrypt the shares with your favorite flavor of encryption. I still use Truecrypt.
Moral of this story: You should be treating everything as if it were compromised from day one. ( Becaus
Telnet?! (Score:5, Funny)
Re: Telnet?! (Score:1)
You don't always need encryption, and ssh takes a fair bit of cpu cycles and space to run.
Re: (Score:3)
Re: (Score:1)
Re: Telnet?! (Score:4, Insightful)
SSH has many advantages besides encryption. Passwordless login, tunnelling, etc.
Re: Telnet?! (Score:1)
It is not overkill, besides it is free... what if my router or one of the computers on my LAN gets compromised? If I don't use ssh they will be able to see all my passwords traveling on my LAN.
Better safe than sorry, there is really no valid reason to use telnet today, unless you want to see how old BBSes looked like... So I fully agree with OP, mandatory encryption everywhere. Encryption is not overkill... It is a right, a right that we need to learn to defend, use and make it normal.
Re: Telnet?! (Score:4, Insightful)
One of the most important aspects of securing your systems is to layer the security, so that if a zero day is used and the black hat gets access to something they don't automatically get access to everything else. This is simple things like not using the same password on every computer, and even simpler things like not using insecure protocols on your network, even on the internal side.
There is simply no reason whatsoever to use telnet even internally. SSH does everything telnet does, it doesn't cost more, it isn't harder to use, it's not more difficult to deploy and above all it adds an extra layer to the security.
Using telnet, even internally is just bad practice and frankly means you aren't very smart. I agree with the parent poster, using telnet in this day and age should be considered a deliberate malicious act by a manufacturer and an indication of stupidity on the part of any admin.
Re: (Score:2, Insightful)
On my LAN, I don't need encryption. If the NSA is on my LAN, I've got other things to worry about than just them sniffing on my pr0n.
The problem is that you don't know who else may be on your LAN, or trying to get on it. Even if you think you have nothing of value on your network the computers and associated storage and cpus represent a potentially valuable resource that could be used for many purposes by crackers, spammers, and various criminals. You should really be using a secure protocol of some sort unless your LAN doesn't connect to the internet. Even then you have to ask yourself if you trust all the users on the network?
Re: (Score:2)
Re: (Score:2)
Yes, but it's kind of slow to authenticate.
$ while true; do time ssh pi :; done
1.84 real 0.11 user 0.01 sys
2.02 real 0.16 user 0.02 sys
1.64 real 0.16 user 0.01 sys
2.17 real 0.16 user 0.00 sys
Re: (Score:3)
Much of that delay is the reverse DNS done by the remote SSH daemon, especially when the reverse DNS is unavailable. Turn that off, especially for wandering sftp clients or git access, and you'll profoundly improve initial connection time.
Re: (Score:2)
That would susprise me since the 'remote' host is 10m worth of cabling away. Reverse (non-)DNS lookup on the remote end takes approx. 300ms (but we're still talking about a raspberry pi here...)
Re: (Score:2)
Re: (Score:2)
My "on" was actually an "on", not a typo'ed "of"
Re: (Score:1)
It doesn't use that much, especially on embedded systems with more modern CPUs and storage space. Consider for example OpenWRT where you can fit into 4MB of flash space a full Linux kernel, busybox system, dropbear ssh server and have space left over for your web server, samba etc. And that ssh implementation is usable even on a 15 year old Linksys device. The NAS drives will have a system on a chip which is far more capable.
And for a secure storage device I'd argue encryption is always needed. This is a wi
Re: (Score:1)
This device needs some sort of processor to handle all the network storage functions. You can configure SSH to run some very insecure MACs and key exchanges if blindingly fast speed is the flavour of the day. This is not meant to run rsync with compression, it's not for X11 forwarding. It's for debug/administrative purposes.
SSH being too resource intense is a cop out. It would have been the better choice for their brand reputation if they used SSH instead of Telnet.
If a cheap 20$ router comes with SSHv2 by
Re: (Score:3)
AES instructions are included by default in almost every single processor produced in the last 5 years. The only CPU without "the cycles" to run SSH is going to be the smallest oldest industrial control you've never seen.
There is no valid reason for not using SSH on any product that can install it. I doubt you could find a single product that would struggle with SSH encryption, even in the lowest end ARM or MIPS processors.
Re: (Score:2)
"AES instructions are included by default in almost every single processor produced in the last 5 years."
Not in the i3-3xxx mobile cpus (released 2013), celeron N29xx (released 2014), Pentium N35xx (2014), and so on. I.e. my laptop and my SO's... (we're more interested in battery life and compactness)
And ssh on my phone (ARM) isn't particularly fast even if the hardware supports it. Can't tell whether dropbear and ssh client actually use AES instructions.
Re: (Score:1)
There's no reason for a telnet server. A telnet client, on the other hand, is vastly useful for debugging connection issues (eg firewall misconfigs) because it lets you specify the port.
Wrong response (Score:5, Informative)
When a company's firmware is backdoored, you don't just download the patch and hope they won't do it again. You buy from somewhere else.
Re: (Score:1)
Telnet and logging in as 'root' with a default password isn't exactly a backdoor is it.
It may be an undocumented default password but just fucking change it. Shit, disable telnet too while you're logged on.
Re: (Score:1)
Re: (Score:2, Informative)
Did you miss the part where it was a HARDCODED password? That user account and default password will always work, even if you think you've changed it, or if you think the account doesn't exist at all.
Re:Wrong response (Score:4, Insightful)
Consumer laws need to catch up. This kind of vulnerability should be considered a fatal design defect and result in a recall of the affected products, with a full cash refund.
Stop it already! (Score:2)
Re: (Score:2)
You get what you pays for. =(
Re: (Score:2)
I see, and how much do you have to pay for non-backdoored hardware? A million dollars? Ten million? A hundred million?
Re: (Score:2)
I see, and how much do you have to pay for non-backdoored hardware? A million dollars? Ten million? A hundred million?
Google is your friend - and try using features and guarantee instead of price when you are sorting the offers.
Going to the lower spectrum of pricing has a cost.
History (Score:2)
Mix-match vendors and layer your security (Score:4, Interesting)
Its pretty much come down to the fact that all corporations are working against the consumers. The best we can hope for is to mix and match vendors and layer our security and don't use cloud based shit. Use open source firewalls and control your outbound ports not just incoming ports.
Stop trusting these dickheads people.
Audited Code? (Score:2)
Doesn't anyone do thi? Belkin - Seagate - Android. Isn't it about time companies check their products?
Re: (Score:2)
Doesn't anyone do thi? Belkin - Seagate - Android. Isn't it about time companies check their products?
Why should they, when corporations aren't held accountable in any way?
In fact, stuff like this works to their benefit. "Oops," they say. "We recommend our newer product where this security issue has been fixed." And given the cost of entry for these markets and that apparently all corporations now engage in this sort of behavior, there is nothing for the customer to do but accept it. Writing properly audite
Whew... (Score:1)
... for a minute there I thought this was a bug in the drive firmware.
At least with a NAS box bug I can plug in USB and turn off the network interface. With a drive firmware bug I can't really prevent being p0wned until I update the firmware, and drive-firmware updates sometimes require a full backup before you even get started.
Re: (Score:2)
Re: (Score:2)
My security update procedure is: laziness. Unfortunately, I'm too lazy to update the procedure.
Zyzel NSA325 (Score:2)
Cheap, you can install debian (Why on earth does evert NAS Manufacturer think that he can do better than to take a standard distribution).
Yet another reason not to buy Seagate... (Score:5, Insightful)
On the other hand, anyone who expects a hard drive in a cheap enclosure that offers network services to have a focus on security is a little whacko. If you're serious about network storage, you buy bare drives and put them in something like a Synology, QNAP, or Drobo. I stopped buying external drives with embedded software that I couldn't wipe awhile ago. RIght now, the only external drives I use are WD Elements because they provide what I'm looking for in an external drive - storage on a USB cable and nothing else
Re: (Score:2, Interesting)
If you're serious about network storage, you build a FreeNAS server with server parts including ECC RAM and multiple NICs teamed together. You fill it up with WD Red Pro drives or another drive that has appropriate TLER settings for NAS usage. You also plug it into a decent UPS ($300+ true sine wave unit).
In no universe are Synology, QNAP or Drobo anything more than consumer toys.
Re: (Score:2)
No real use in getting drives with TLER settings for a NAS as most NAS's don't use a hardware RAID controller and will happily wait for the drive to try all attempts at recovery, even if it takes two minutes.
Re: (Score:2)
In no universe are Synology, QNAP or Drobo anything more than consumer toys.
That's a cute sentiment, but I know quite a few small and medium sized businesses that would disagree with you. The higher end units are perfectly capable of performing, they're easy to setup and deploy, and you don't need to keep someone on staff or retainer to perform sysadmin duties for you.
Re: (Score:2)
Don't worry. The hackers won't be able to get at the data because the drive will crash and you'll lose everything before they even get their telnet terminal up.
Hilarious extract from website (Score:4, Funny)
From CERT website, with prominent NSA logo (https://www.kb.cert.org/vuls/id/903500):
"Tangible Security would also like to publically thank Seagate for their cooperation and desire to make their products and customers more secure."
Re: (Score:1)
Oops, Homeland Security, not NSA.
Oops again, they are the same thing.
NAS is a fad anyways (Score:2)
Re: (Score:1)
Then use a portable USB drive. No need for it to be networked if all you want is a place to dump your porn.
That's only true if you only own one computer. For those of us with three netbooks, one laptop, two tablets, two smartphones, two desktops, and a set-top box in the house, any or all of which may be rebooted or turned off at any given moment, there's substantial utility to NAS.
Right now Kodi on my Android tablet (with HDMI output) is indexing my media so that it can play it across the network gracefully while acting at a STB. As controllers I have the option of the PS3 BD-ROM remote (which I can remap with
Re: (Score:2)
Re: (Score:2)
Hated using XBMC (Now Kodi) for multiple network devices. Have you tried PLEX? It works so much better.
Re: (Score:2)
Hated using XBMC (Now Kodi) for multiple network devices. Have you tried PLEX? It works so much better.
I didn't like Plex as much. I do wish that XBMC had a media info server, though.
Re: NAS is a fad anyways (Score:2)
What do you like more about kodi? I'm curious what they've added recently. Granted, I think the UI on the PC client is better than PLEX, however, PLEX has multiple user support (each with their own watched, queue lists), mobile support (with sync), and has a client for just about everything (some better than others). iOS client is good. Android client is ok. Xbox one client is likely the worst of the "official" clients. There is even an unofficial plug in for kodi.
Re: NAS is a fad anyways (Score:2)
I forgot PLEX has the ability to have a central media server (or servers) and all clients can watch anything from any server, and sharing with friends and family (for those graduation and birthday movies of course).
Re: (Score:2)
What do you like more about kodi? I'm curious what they've added recently. Granted, I think the UI on the PC client is better than PLEX,
The UI on the PC client is the same as on Android, except that I deliberately chose a touch-friendly skin (re-Touched, which is now an official one) for Kodi on my tablet.
I haven't tried Plex in a while, but last time I did, it didn't play as much of my media as Kodi did. I also just liked the layout of the Kodi skins I've used better than the Plex layout.
Since I only have a couple of devices, it's not like I have a huge duplication of effort maintaining metadata. I guess you can back that stuff up, but I n
Thought of purchasing one, thought better (Score:2, Insightful)
A few weeks ago, thought of purchasing one.
Then, I remembered I had a raspberry pi 2, an old 1tb drive, a usb wireless dongle, and 15 minutes of spare time.
I now have a device running ssh, that I can rsync to properly firewalled, and can act as an ssh proxy.
Raspberry Pi 2: $30 - on sale
Old 1TB Drive : "FREE"
USB to SATA Converter: $5.00 - with sleep mode!
Wireless Dongle : Free
Raspberry Pi Case: $7.99
2.1A Power Supply : Free
NO KNOWN BACKDOORS: PRICELESS
FULL CONTROL OF MY HARDWARE: PRICELESS
FULL CONTROL OF MY
And THAT'S... (Score:1)
Not a backdoor (Score:5, Informative)
Basically, another group of security ``researchers'' (use of quotes intentional) manage to force a company making a relatively open embedded product to close it down for tinkerers, while not improving the security of the product at all.
I hate this world.
not a bug a feature (Score:1)