Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Hardware

Backdoor Discovered Into Seagate NAS Drives 121

Mark Wilson writes: If you have not recently updated the firmware for your Seagate wireless NAS drives, now is the time to do so. Researchers at Tangible Security have discovered a series of vulnerabilities in a number of devices produced by Seagate that could allow unauthorized access to files and settings. An undocumented Telnet feature could be used to gain control of the device by using the username 'root' and the hardcoded default password. There are also other vulnerabilities that allow for unauthorized browsing and downloading of files, as well as permitting malicious files to be uploaded. Tangible Security says that Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL drives are affected, but there may also be others. The security issues are confirmed to exist with firmware versions 2.2.0.005 to 2.3.0.014.
This discussion has been archived. No new comments can be posted.

Backdoor Discovered Into Seagate NAS Drives

Comments Filter:
  • by nickweller ( 4108905 ) on Monday September 07, 2015 @04:30PM (#50474095)
    Who wrote the code. What explanation do they have for inserting such features in a supposedly secure storage device. Is there a more sinister explanation for this?
    • Who wrote the code. What explanation do they have for inserting such features in a supposedly secure storage device. Is there a more sinister explanation for this?

      Apparently never heard of MHDD http://hddguru.com/software/20... [hddguru.com] (it's grown - used to be a hobbyist site, now much more professional). I've used it to gain access to drives using default passwords, excellent tool for "talking" to your hard drives, and fixing what's wrong.

    • by Anonymous Coward

      Easily reinstall the OS if it gets hosed, like most routers have? Perhaps an early feature that was dropped but never removed from the code?
      Not everything is some great conspiracy to give the government all of your files so they can forward them to out alien reptile overlords. In fact, nearly nothing is.

      • @Anonymous Coward: "Perhaps an early feature that was dropped but never removed from the code?

        Who was it tested the device for security vulnerabilities before releasing to market. They did run some tests - didn't they?
    • The title is pretty clear about it: It was just discovered into the drives by Tangible Security.

    • "Never attribute to malice that which is adequately explained by stupidity."

      Unfortunately, the explanation is not adequate.

    • "made in NSA" ?? These guys have been at that stuff for decades. Better hope it wasn't FSA or Cn...
    • by AmiMoJo ( 196126 ) on Tuesday September 08, 2015 @02:45AM (#50476767) Homepage Journal

      As much as I love a good NSA/GCHQ conspiracy theory, I think this one is most likely just incompetence. Their NAS boxes run Linux, and telnet is really useful for debugging headless machines during development. Someone either forgot to turn it off before shipping or just assumed that because they changed the default port no-one would find it.

    • supposedly secure storage device.

      It's a wireless NAS - it's insecure in it's very conception, as well as insane.

      OK, slightly less insane - with capacities limited to 500GB, they're only going to take a day or so to fill or empty, depending on how much other traffic you have on your WiFi network. But for fucks sake, if you're going to spend even a femtosecond on thinking about security, then you're going to dump the WiFi for wired.

  • Let me guess (Score:4, Informative)

    by Anonymous Coward on Monday September 07, 2015 @04:30PM (#50474099)

    Closed-source firmware?

    • by Anonymous Coward

      Doesn't matter. How many people verify the firmware on their products match the open source version? Differences when compiled can be shrugged off as different compiler versions. You'd have to verify every instruction. For the people who reflash their devices? So what? Now they simply don't have the back door. It's unlikely to matter and almost everyone won't do it.

      Open source vs closed source means nothing if no one is watching very closely. How much OSS is managed by one or two people? I'd guess

      • by grumbel ( 592662 )

        Differences when compiled can be shrugged off as different compiler versions.

        Yep, and it's not just different compilers, time stamps, compile order on parallel builds, the order of files in the filesystems, install path, compile flags, etc. will all change the resulting binary. Reproducible builds just hasn't been a thing in Free Software community and only very recently did Debian start work on ensuring that their binaries are byte-for-byte reproducible, but that's of course just Debian, we are still far far away from having reproducible builds be the default way how Free Software

        • but that's of course just Debian

          Actually, it isn't. The Linux Foundation is funding the effort, and it's mostly Debian people leading it, but they're working on a variety of projects (including FreeBSD!), not just Debian.

  • My gosh (Score:5, Funny)

    by execthis ( 537150 ) on Monday September 07, 2015 @04:30PM (#50474103)

    My gosh, you would think in this day and age that firmware developers would know better than this. Hard-coded telnet passwords? Seriously?

    • by Anonymous Coward

      1) You think developers make those decisions?
      2) You think that developers hired to write the firmware are of highest quality paid competative salaries and not the shittiest cheapest ones that can do the job so that product runs?

    • Re: (Score:2, Interesting)

      Adding encryption means you can't export them to "non-approved" countries, and raises a great number of hoops to be able to export the product at all..

      https://en.wikipedia.org/wiki/... [wikipedia.org]

      Also, encryption algorithms take more space in the very limited space on firmware and small controller chipsets.

      • Also, encryption algorithms take more space in the very limited space on firmware and small controller chipsets.

        Ye Olde pogoplug has ssh, it's not a very high bar. And that's what I use for my NAS functionality; a series 4 (IIRC) pogoplug, the kind with 2xUSB3 and 1xSATA, running Debian. They cost twenty bucks and use approximately no power...

  • Telnet?! (Score:5, Funny)

    by maugle ( 1369813 ) on Monday September 07, 2015 @04:41PM (#50474175)
    Seriously, who uses telnet instead of ssh in this day and age? I think we're at the point where including telnet - even optionally - in any Internet-facing device should be classified as a malicious act.
    • by Anonymous Coward

      You don't always need encryption, and ssh takes a fair bit of cpu cycles and space to run.

      • by Anonymous Coward

        It doesn't use that much, especially on embedded systems with more modern CPUs and storage space. Consider for example OpenWRT where you can fit into 4MB of flash space a full Linux kernel, busybox system, dropbear ssh server and have space left over for your web server, samba etc. And that ssh implementation is usable even on a 15 year old Linksys device. The NAS drives will have a system on a chip which is far more capable.

        And for a secure storage device I'd argue encryption is always needed. This is a wi

      • by Anonymous Coward

        This device needs some sort of processor to handle all the network storage functions. You can configure SSH to run some very insecure MACs and key exchanges if blindingly fast speed is the flavour of the day. This is not meant to run rsync with compression, it's not for X11 forwarding. It's for debug/administrative purposes.

        SSH being too resource intense is a cop out. It would have been the better choice for their brand reputation if they used SSH instead of Telnet.

        If a cheap 20$ router comes with SSHv2 by

      • AES instructions are included by default in almost every single processor produced in the last 5 years. The only CPU without "the cycles" to run SSH is going to be the smallest oldest industrial control you've never seen.

        There is no valid reason for not using SSH on any product that can install it. I doubt you could find a single product that would struggle with SSH encryption, even in the lowest end ARM or MIPS processors.

        • "AES instructions are included by default in almost every single processor produced in the last 5 years."

          Not in the i3-3xxx mobile cpus (released 2013), celeron N29xx (released 2014), Pentium N35xx (2014), and so on. I.e. my laptop and my SO's... (we're more interested in battery life and compactness)

          And ssh on my phone (ARM) isn't particularly fast even if the hardware supports it. Can't tell whether dropbear and ssh client actually use AES instructions.

    • by Anonymous Coward

      There's no reason for a telnet server. A telnet client, on the other hand, is vastly useful for debugging connection issues (eg firewall misconfigs) because it lets you specify the port.

  • Wrong response (Score:5, Informative)

    by Anonymous Coward on Monday September 07, 2015 @04:50PM (#50474231)

    When a company's firmware is backdoored, you don't just download the patch and hope they won't do it again. You buy from somewhere else.

    • by Cederic ( 9623 )

      Telnet and logging in as 'root' with a default password isn't exactly a backdoor is it.

      It may be an undocumented default password but just fucking change it. Shit, disable telnet too while you're logged on.

      • by Anonymous Coward
        Devices should be secure out of the box
      • Re: (Score:2, Informative)

        by Anonymous Coward

        Did you miss the part where it was a HARDCODED password? That user account and default password will always work, even if you think you've changed it, or if you think the account doesn't exist at all.

    • Re:Wrong response (Score:4, Insightful)

      by AmiMoJo ( 196126 ) on Tuesday September 08, 2015 @06:54AM (#50477351) Homepage Journal

      Consumer laws need to catch up. This kind of vulnerability should be considered a fatal design defect and result in a recall of the affected products, with a full cash refund.

  • Is this crap ever going to stop? I'm ready to chuck my computer out the window.
    • by Lisias ( 447563 )

      You get what you pays for. =(

      • I see, and how much do you have to pay for non-backdoored hardware? A million dollars? Ten million? A hundred million?

        • by Lisias ( 447563 )

          I see, and how much do you have to pay for non-backdoored hardware? A million dollars? Ten million? A hundred million?

          Google is your friend - and try using features and guarantee instead of price when you are sorting the offers.

          Going to the lower spectrum of pricing has a cost.

  • I've always had problems with getting seagates to talk with the other hardware, and said they needed to fix that. I see now that they tried, by going too far down the wrong freaking road again! :P
  • by rtkluttz ( 244325 ) on Monday September 07, 2015 @05:19PM (#50474407) Homepage

    Its pretty much come down to the fact that all corporations are working against the consumers. The best we can hope for is to mix and match vendors and layer our security and don't use cloud based shit. Use open source firewalls and control your outbound ports not just incoming ports.

    Stop trusting these dickheads people.

  • Doesn't anyone do thi? Belkin - Seagate - Android. Isn't it about time companies check their products?

    • Doesn't anyone do thi? Belkin - Seagate - Android. Isn't it about time companies check their products?

      Why should they, when corporations aren't held accountable in any way?

      In fact, stuff like this works to their benefit. "Oops," they say. "We recommend our newer product where this security issue has been fixed." And given the cost of entry for these markets and that apparently all corporations now engage in this sort of behavior, there is nothing for the customer to do but accept it. Writing properly audite

  • ... for a minute there I thought this was a bug in the drive firmware.

    At least with a NAS box bug I can plug in USB and turn off the network interface. With a drive firmware bug I can't really prevent being p0wned until I update the firmware, and drive-firmware updates sometimes require a full backup before you even get started.

  • Comment removed based on user account deletion
    • by mentil ( 1748130 )

      My security update procedure is: laziness. Unfortunately, I'm too lazy to update the procedure.

  • Cheap, you can install debian (Why on earth does evert NAS Manufacturer think that he can do better than to take a standard distribution).

  • by Drakonblayde ( 871676 ) on Monday September 07, 2015 @06:24PM (#50474781)

    On the other hand, anyone who expects a hard drive in a cheap enclosure that offers network services to have a focus on security is a little whacko. If you're serious about network storage, you buy bare drives and put them in something like a Synology, QNAP, or Drobo. I stopped buying external drives with embedded software that I couldn't wipe awhile ago. RIght now, the only external drives I use are WD Elements because they provide what I'm looking for in an external drive - storage on a USB cable and nothing else

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      If you're serious about network storage, you build a FreeNAS server with server parts including ECC RAM and multiple NICs teamed together. You fill it up with WD Red Pro drives or another drive that has appropriate TLER settings for NAS usage. You also plug it into a decent UPS ($300+ true sine wave unit).

      In no universe are Synology, QNAP or Drobo anything more than consumer toys.

      • No real use in getting drives with TLER settings for a NAS as most NAS's don't use a hardware RAID controller and will happily wait for the drive to try all attempts at recovery, even if it takes two minutes.

      • In no universe are Synology, QNAP or Drobo anything more than consumer toys.

        That's a cute sentiment, but I know quite a few small and medium sized businesses that would disagree with you. The higher end units are perfectly capable of performing, they're easy to setup and deploy, and you don't need to keep someone on staff or retainer to perform sysadmin duties for you.

    • Don't worry. The hackers won't be able to get at the data because the drive will crash and you'll lose everything before they even get their telnet terminal up.

  • by Tokolosh ( 1256448 ) on Monday September 07, 2015 @06:37PM (#50474831)

    From CERT website, with prominent NSA logo (https://www.kb.cert.org/vuls/id/903500):

    "Tangible Security would also like to publically thank Seagate for their cooperation and desire to make their products and customers more secure."

  • The only difference between a file server and a NAS is the ridiculously bad CPU and slow, clunky software it's packed with. If you really want a file server, just grab a random linux distro and install it on a PC with a lot of disks.
  • by Anonymous Coward

    A few weeks ago, thought of purchasing one.

    Then, I remembered I had a raspberry pi 2, an old 1tb drive, a usb wireless dongle, and 15 minutes of spare time.

    I now have a device running ssh, that I can rsync to properly firewalled, and can act as an ssh proxy.

    Raspberry Pi 2: $30 - on sale
    Old 1TB Drive : "FREE"
    USB to SATA Converter: $5.00 - with sleep mode!
    Wireless Dongle : Free
    Raspberry Pi Case: $7.99
    2.1A Power Supply : Free

    NO KNOWN BACKDOORS: PRICELESS
    FULL CONTROL OF MY HARDWARE: PRICELESS
    FULL CONTROL OF MY

  • ...why you build your own NAS.
  • Not a backdoor (Score:5, Informative)

    by javispedro ( 1109305 ) on Tuesday September 08, 2015 @05:14AM (#50477095)
    This is not a backdoor.
    • It is not undocumented [google.com]. It uses Arago, an actually open GNU/Linux distribution as firmware (so it is more open source than your average android device!), and the ability to root it via telnet has been available since day 1, with a widely known password.
    • It is not remote, since to access it you need to join the NAS WLAN, and for that you need to passphrase created by the user. If you've managed to guess the passphrase/break that layer, then you've already crossed the airtight hatchway: at that point you can already view all the files on the disk, install adware, viruses, etc.
    • This was being used by plenty of people to install custom Linux distributions such as Debian or Arch on relatively inexpensive hardware. There's even a user focused distribution for the device [hackseagatesatellite.com]

    Basically, another group of security ``researchers'' (use of quotes intentional) manage to force a company making a relatively open embedded product to close it down for tinkerers, while not improving the security of the product at all.

    I hate this world.

  • Lady and gentleman... The NSA NAS! The NSA should give up already... just open up nsa.org and give everyone fast, free unlimited storage, email, etc. Hek, i'd subscribe.

Never test for an error condition you don't know how to handle. -- Steinbach

Working...