Files on Seagate wireless disks can be poisoned, purloined – thanks to hidden login
CERT.org has reported Seagate wireless hard drives include “undocumented Telnet services” accessible with a hard-coded password. This allows “unrestricted file download capability to anonymous attackers with wireless access to the device.”
And another flaw makes it possible to upload anything into the devices’ default file-sharing directory.
The wireless hard drives pack a hard disk and Wi-Fi controller into a small package. Seagate markets the products as a great way for several portable hand-held devices to access content, most often in a home environment. The devices are, however, effectively a small network-attached storage device: there’s every chance more than a few are doing duty as a de facto file server in very small businesses.
The three flaws present in the device mean that anyone on your network – or who can reach it from the outside – armed with the default password of “root” and enough savvy to try the username “root” can download the entire contents of the Seagate devices, then upload malware into them.
Are you kidding me?
User = root
Secret password = root.
Seriously… like seriously!