Seagate wireless hard drives open wide to attack

Several Seagate wireless hard-drives have been found to be affected by multiple vulnerabilities, the CERT Coordination Center of the Software Engineering Institute at Carnegie Mellon University warns.

The first one allows an attacker to access undocumented Telnet services by using “root” as both username and password. The second one allows an attacker to download files stored in the device. The third one allows him (or her) to upload files onto the device, and if they are malicious, they could end up compromising other endpoints when opened.

An attacker that wishes to exploit these bugs must be within range of the device’s wireless network.

Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL with firmware versions 2.2.0.005 and 2.3.0.014 have been confirmed to be affected, and its possible that other products might be vulnerable, as well.

Seagate has released firmware (v3.4.1.105) to plug the holes, and users are advised to update it as soon as possible (the update can be found here).

There is no evidence that attackers have been exploiting the holes in attacks in the wild.