Buggy software in popular connected storage drives can let hackers read private data

[nir]

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user’s private and sensitive data.
 

The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested — NetGear Stora, Seagate Home and Medion LifeCloud — can allow an attacker to remotely read, change and delete data without requiring a password.

 

Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.
 

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies — including PHP — to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as “root” — the built-in user account with the highest level of access — making the data on the device vulnerable to prying eyes or destruction.

 

We contacted Axentra for comment on Thursday but did not hear back by the time of writing.
 

Neither Netgear nor Seagate commented by our deadline, but we’ll update if that changes. Lenovo, which now owns Medion, did not respond to a request for comment.

 

The researchers also reported a separate bug affecting WD My Book Live drives, which can allow an attacker to remotely gain root access.

 

A spokesperson for WD said that the vulnerability report affects devices originally introduced in 2010 and discontinued in 2014, and “no longer covered under our device software support lifecycle.” WD added: “We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.”

 

In all four vulnerabilities, the researchers said that an attacker only needs to know the IP address of an affected drive. That isn’t so difficult in this day and age, thanks to sites like Shodan, a search engine for publicly available devices and databases, and similar search and indexing services.

 

Depending on where you look, the number of affected devices varies. Shodan puts the number at 311,705, but ZoomEye puts the figure at closer to 1.8 million devices.
 

Although the researchers described the bugs in moderate detail, they said they have no plans to release any exploit code to prevent attackers taking advantage of the flaws.

 

Their advice: If you’re running a cloud drive, “make sure to remove your device from the internet.”

 

Source

[straycat19]

If you want external storage the best way to go is with Network Attached Storage (NAS).  After our IT department did some testing on small storage units they recommended Drobo.  Since then I have purchased six Drobo 5N/5N2 devices, one Drobo 4 (USB), and a mini Drobo (8TB portable USB using 2.5 inch drives).  They are secure, the data is extremely safe, and they can be accessed securely remotely.  By attaching them to a separate switch I can remotely add or remove the switch from the network, which in conjunction with the login required for each separate NAS makes them extremely secure.  That may seem like a lot of trouble but it depends on how you want to access your data and how secure you want it to be.  I like to be able to securely access my data at home from work or anywhere else I am over any device.

[halvgris]

On 10/19/2018 at 11:09 PM, straycat19 said:

If you want external storage the best way to go is with Network Attached Storage (NAS).  After our IT department did some testing on small storage units they recommended Drobo.  Since then I have purchased six Drobo 5N/5N2 devices, one Drobo 4 (USB), and a mini Drobo (8TB portable USB using 2.5 inch drives).  They are secure, the data is extremely safe, and they can be accessed securely remotely.  By attaching them to a separate switch I can remotely add or remove the switch from the network, which in conjunction with the login required for each separate NAS makes them extremely secure.  That may seem like a lot of trouble but it depends on how you want to access your data and how secure you want it to be.  I like to be able to securely access my data at home from work or anywhere else I am over any device.

hey listen, there is no thing that is secure in this day and age.

 

anything connected to a network isn't safe.

 

depending on where you live you may even be monitored

or screened from any digital device.

 

password protected? sure but hackers won't use it they will

inject malicious data to access your units.