Buggy Software in Popular Connected Storage Drives Can Let Hackers Read Private Data (techcrunch.com) 44
Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user's private and sensitive data. From a report: The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested -- NetGear Stora, Seagate Home and Medion LifeCloud -- can allow an attacker to remotely read, change and delete data without requiring a password. Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.
The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies -- including PHP -- to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as "root" -- the built-in user account with the highest level of access -- making the data on the device vulnerable to prying eyes or destruction.
The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies -- including PHP -- to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as "root" -- the built-in user account with the highest level of access -- making the data on the device vulnerable to prying eyes or destruction.
Re: (Score:2)
Well at least the hackers aren't turning them into bombs.
https://media-wired-com.cdn.am... [ampproject.org]
Re: Blah (Score:2)
You say that, but to what extent is it true?
Let's take the hypothetical scenario - you've an A1+ OB-rated computer with hardware-enforced memory segmentation and memory security labelling, and network security labelling. There's no root and everything is by mandatory access control.
Let's say the firewall has been set to block all incoming connections.
The computer is online, but in what sense is all of it online? How do you propose to hack the hard drive of such a machine?
The problem with simplistic descript
Re: (Score:2)
No reason why it would cost that, but blanket statements don't come with an implicit upper bound. If you want claim "for all", you'd best either state range or be damn sure I can't provide an existence proof for an exception.
Re: (Score:2)
Won't work.
First, the firewall is set to block all incoming connections. Makes it impossible to break into, since you can't connect to it.
Second, security labeling means even if you got into the firewall, the firewall can't generate any packets the machine would accept.
Third, because incoming connections are blocked, there are no credentials to intercept.
It doesn't matter what you can get around, it matters only if there's a vector that runs from where you start to where you want to end. No complete path,
Re: (Score:3)
This is basically a single-drive NAS that has a way to log in and access your files when away from home. Sort of like Dropbox in a way, but with apparently terrible security.
Re: This Just IN (Score:2)
What if it's a house on top of K2, with the entrance on the roof reachable only by a deadly maze?
I'd have thought you could leave the front door wide open.
Really? (Score:1)
Re: (Score:2)
Well PHP does stand for PHucked uP =P
(Lighten up, it was a joke)
Axentra -- WTF? (Score:3)
So it seems like it's up to Axentra to fix their poorly coded Piece Of Shit? But do they really even care?
This kind of sloppy programming needs to come with easy-to-litigate civil remedie$ and then maybe it will stop.
Re: (Score:1)
Mr. Eric Lefebvre is the Co-Founder of Axentra,
283 Dalhousie Street
Suite 300
Ottawa, ON K1N 7E5
Canada
Phone: 613-627-1250
Perhaps he would like to respond to this disclosure of such poor security practices?
Re: (Score:3)
and then maybe it will stop.
Naaaaa -- don't you know, it's like the CLOUD baby, where everything goes and you push responsibility as far as you can and then right out the window. There's NO problems at all that an online contract or ROM update won't fix. And of course with surface mount chips, unfixable hardware, and no one ever reading the legals, they'll have to buy your *next* product with it's OWN new problems.
Planned Obsolescence? That's so 1990s. Now they need to pay you for your new product while the old one's still worki
Re: (Score:2)
Re: (Score:2)
Re: Fuck it, I'm blaming the victims here (Score:2)
I would imagine an Internet-connected router could be handy. NAS and SAN drives are, by their nature, capable of being on the Internet.
However, anyone buying a networked appliance should be a fully-qualified firewall admin, and the cloud should really be evaporated.
Re: (Score:3)
There are some quality devices. Synology and QNAP NAS models have solid security, and if you need to add stuff like fail2ban, borg backup, gpg, or other items, that is easily accomplished.
You can have a NAS that is secure enough to sit on a public IP space (not sure why you want to), and be resistant to attack, provided you limit the IP space, enable 2FA, SSH RSA keys, and keep good backups.
Secure NAS products are out there... it is just that some companies just don't seem to care enough about making a sec
"root"? (Score:2)
Somebody felt the need to explain the notion of the root user? On /.?
Goodness.
Re: (Score:2)
The part explaining root was just a quote from the original article.
Re: "root"? (Score:3)
Well, the better users have the issue of LJ that describes how to remove root from Linux. That, together with cgroups, means some are forgetting about such archaic notions.
What is this "Root" (Score:2)
Why would anybody ever have a hard coded admin account?!? That is unbelievable. That is why Linux sucks so bad it has hard coded backdoor accounts! I'm so glad I use BeOS, I don't have to worry about hackers!
CVE-2018-18471 and CVE-2018-18472 not at MITRE.ORG (Score:2)
From the "Wizcase" article:
But CVE-2018-18471 and CVE-2018-18472 are not listed at mitre.org or the NIST database:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18471 [mitre.org]
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18472 [mitre.org]