back to article Files on Seagate wireless disks can be poisoned, purloined – thanks to hidden login

CERT.org has reported Seagate wireless hard drives include “undocumented Telnet services” accessible with a hard-coded password. This allows “unrestricted file download capability to anonymous attackers with wireless access to the device.” And another flaw makes it possible to upload anything into the devices' default file- …

  1. Ole Juul

    Is it the manufacturer or the consumer that has "no idea"?

    "... of course most consumers have shown they've no idea about this stuff by failing to install much-needed new broadband router firmware despite colossal security holes."

    Is it that they have no idea, or is it that they have a different idea? I suspect that many consumers actually have a good idea. They think that when they buy a product it is finished and ready for them to use. The idea that it's simply a proof of concept and a work in progress does not enter their minds - and I can't say I blame them.

    1. Mark 85

      Re: Is it the manufacturer or the consumer that has "no idea"?

      I think it's the mentality of the customers don't jibe with the manufacturer and also some manufacturers just don't care. The customer has been trained that they buy a product and dutifully sends in the registration card (most but not all do this). Then, if there's a recall or upgrade, they get an email or a postcard or a letter telling them to take the product to XXXX for the fix.

      Even automatic upgrade/updates, whatever, don't always work. My home router is set for "auto updates" and it's never updated. I go check every couple of months for new updates and have only found 2 over the last 4 years.

      Hell, I've seen PC's that have had updates turned off by the owner from the day they first bought and fired up the computer because they didn't want to spend the downtime.

      1. big_D Silver badge

        Re: Is it the manufacturer or the consumer that has "no idea"?

        The problem is, tell you average user they need a new firmware, because of a Telnet hole, they will tell you they use O2 for their telephone and they aren't old enough to need support underwear...

        As the others have said, they buy the product assuming it works and will carry on using it until it stops working, just like a fridge, washing machine or TV...

        1. Anonymous Blowhard

          Re: Is it the manufacturer or the consumer that has "no idea"?

          Totally agree; and even if the consumer has a really good level of knowledge, who has time to examine every device they own for security vulnerabilities? And you'd have to re-check after every update in case the manufacturer has added a "helpful feature" that includes a new vulnerability.

          The industry needs to have one, or more, independent testing and certification agencies that consumers can use as a guide before purchasing; certified devices might cost a little more, but should give consumers the confidence that someone independent of the manufacturer has looked at the security aspects of a device.

          The current "race to the bottom" is certainly delivering low prices, but at the cost of poor security.

          1. Crazy Operations Guy

            @ Anonymous Blowhard RE:"independent testing and certification agencies"

            Before my confidence in government was destroyed, I figured that that should be the role of the NSA / GCHQ / etc. They are tasked with cyber defense, so it would be logical that they'd be tasked with ensuring that the average citizen stayed safe when connected to the internet, especially now that the United States would suffer far more damage from a misplaced semicolon in router firmware than from the Pentagon getting nuked.

            1. big_D Silver badge

              Re: @ Anonymous Blowhard RE:"independent testing and certification agencies"

              There are plenty of independent testing agencies out there. We used one last year for testing one of our products, before it was sold to our customers.

              It isn't cheap, but in an industry rocked by scandals (meat production), having a tamper proof system for storing the original data coming from classification systems is an important part of the process, so having it certified was a necessary cost of doing business - complete with pentesting.

            2. Roo
              Windows

              Re: @ Anonymous Blowhard RE:"independent testing and certification agencies"

              "They are tasked with cyber defense, so it would be logical that they'd be tasked with ensuring that the average citizen stayed safe when connected to the internet,"

              Nah, that's what all the filtering/firewalling stuff is for. It's much easier to smother dissent in it's cot and keep the citizens in line if you have full control over the information they have access to, and can see exactly what they are up to at all times.

      2. Phil O'Sophical Silver badge

        Re: Is it the manufacturer or the consumer that has "no idea"?

        dutifully sends in the registration card (most but not all do this).

        Do they? Maybe 40 years ago they did, in the UK at least, thinking that it was a way to confirm the guarantee. Consumer legislation since then has made it clear thay they have guaranted rights anyway, so I think most people assume the card is just a way to collect marketing info (they aren't wrong) and they bin the card along with the rest of the packaging. I always do.

    2. dotdavid

      Re: Is it the manufacturer or the consumer that has "no idea"?

      "hey think that when they buy a product it is finished and ready for them to use"

      Hell, even the manufacturers often seem to think that when they release a product it is finished and doesn't need ongoing support in the form of software updates....

    3. Roo
      Windows

      Re: Is it the manufacturer or the consumer that has "no idea"?

      In this case it's clear the manufacturer has no clue.

      1) They chose Telnet as the protocol - which sends passwords as clear text.

      2) They have a default password on an easy to guess account name.

      If Seagate genuinely believe that's adequate then I would suggest that they eat their own dogfood in the hope that they will pwned to the point of being unable to continue operating within a week.

  2. Anonymous Coward
    Anonymous Coward

    That's it!

    It is obvious by now that Seagate has exhausted its pool of minimally competent software engineers.

    There's no possible way in 2015 for someone with a fully functional brain to code this.

    1. Doctor Syntax Silver badge

      Re: That's it!

      "There's no possible way in 2015 for someone with a fully functional brain to code this."

      For development purposes there is. But there's no way for someone with a fully functional brain to release it to production with the development snapshot still in place. Blame marketing.

      1. Anonymous Coward
        Anonymous Coward

        Re: That's it!

        If some TLA should just happen to show up on my doorstep brandishing a somewhat worn TESCO-bag containing 50 EUR notes, I am sure that I could make a way. Especially if the currency protects a bottle of single malt!

      2. JLV

        Re: That's it!

        >Blame marketing.

        “undocumented Telnet services”

        Much as blaming marketing is often spot on re sec flaws, if these features are undocumented (in the sense of not being mentioned to customers), then they have no marketing value. So blame devs, management and QA for allowing debug code out in production. Not marketing.

        But yeah, otherwise agree with you.

    2. Anonymous Coward
      Anonymous Coward

      Re: That's it!

      When the team is yanked before the software is finalized, all the backdoors removed the the dev team were using in testing, by management this isn't the fault of the developers. Perhaps it's their fault as they expect to be able to do this in a rational (non-rationalizing) universe. We keep seeing this again and again. For a reason. What's released is not what's supposed to be the final product. When release and spec don't match, whose fault is that, though?

      [And so long as there is no strict liability for the company, let alone execs and, unpopularly (past downvotes indicate). ourselves nothing will change. If I ever fucked up, I was looking at prison. "The prospect of being hanged in a fortnight concentrates the mind wonderfully."]

  3. Charles Manning

    That picture

    A couple of years ago my son and I decided we needed to throw out some old hard disks. We put them out of commission with 12 gauge slugs.

    1. Medixstiff

      Re: That picture

      "We put them out of commission with 12 gauge slugs."

      We have SSD's in our work PC's now and as the old Data Eliminator won't work on these non magnetic drives, I've been trying to sow the seed, that next time we refresh the fleet, our most expendable staff member get's a flight to the nearest easily accessible active volcano, so we can dispose of them that way with a Youtube video for evidence.

      I'm nearly there with having the Chief Information Security officer's approval too.

      1. Haku
        Mushroom

        Re: That picture

        Failing getting to an active volcano there's always Thermite.

        1. Anonymous Custard
          Mushroom

          Re: That picture

          Thermite doesn't work quite as well as you would think/hope, although of course it is fun to watch (from a very safe distance).

          el Reg actually covered this topic not so long ago -

          http://www.theregister.co.uk/2015/08/09/how_to_destroy_your_hard_drives_without_burning_down_the_data_centre/

          1. Haku

            Re: That picture

            Looking at that article, 15 grams of thermite doesn't sound like enough to do much in the way of melting a HDD, also I think SSDs are more susceptible to the effects of thermite but not finding any videos of people who have tried it (there are plenty of videos of thermite on HDDs) it's still speculation.

            However I did find this video of a Runcore SSD that had two self-destruct buttons, a green button which simply reset the data on the chips and red button that completely short circuted the chips, burning and cracking them. The woman actually got out of her chair to get a little distance away before pressing the red button! - https://www.youtube.com/watch?v=GLxaVFBXbCk

        2. Hud Dunlap
          Trollface

          Re: That picture

          Thermite might be hard to get. Tannerite is easier.

          http://www.explodingtargets.org/exploding-target-recipe/

          1. Destroy All Monsters Silver badge
            Paris Hilton

            Re: That picture

            Why are you guys even discussing this? This has nothing to do with the article.

            Might as well discuss jammers to disable thw WiFi of the "harddisk".

            1. Haku

              Re: That picture

              @Destroy All Monsters

              If everything on the internet always stayed on topic it would be a stale and dull place.

      2. Simon Harris

        Re: That picture

        "that next time we refresh the fleet, our most expendable staff member get's a flight to the nearest easily accessible active volcano"

        Precious, precious, precious! My Precious! O my Precious!

      3. Julz

        Re: That picture

        There is always the tried and trusted Bessemer converter option. I used to send discpacks to their fiery doom via the ones in Scunthorpe, truly a trip to Mordor...

        1. Tim Bergel
          Thumb Up

          Re: That picture

          You actually used a Bessemer converter to destroy old data? That is a very impressive level of overkill and can only be applauded.

      4. Khaptain Silver badge
        Coat

        Re: That picture

        "I'm nearly there with having the Chief Information Security officer's approval too"

        You mean that the CSO has agreed to take the disks ?

    2. fajensen

      Re: That picture

      A generous dollop of ClF3 will clean that dirty data right up!

  4. phil dude
    WTF?

    wtf?

    Icon --->

    P.

  5. Anonymous Coward
    Anonymous Coward

    Their firmware update

    From the skill level evidenced by this bug, their "firmware update" is likely to have just changed that default password.

    For bonus points, they might have even moved to ssh. But I doubt it though. :(

    1. Hans 1

      Re: Their firmware update

      the fix ? They changed password to "toor", without quotes, obviously.

      1. Tromos
        Joke

        Re: Their firmware update

        Even better, they heard about two factor security so they also changed the username to 'admin'.

  6. Captain DaFt

    Scary thought:

    The backdoor was at the behest of our malev... er, benevolent overseers, who, after seeing the lack of interest in the Snowden revelations from the great unwashed masses, just don't give a piss about trying to hide the backdoors anymore.

    "But, but, it's obvious, the techies'll spot that in an instant!"

    TLA goon: "So? Nobody else cares, and won't listen to them anyway. So stick it in and put a goddam neon sign on it for all we care!"

    1. This post has been deleted by its author

  7. Griffo

    Unbelievable

    In these days.. a hardcoded username and pass of root and root ?

    I'm almost speechless.

    1. Mark 65

      Re: Unbelievable

      It really is difficult to decide whether that "mistake" was malicious or incompetent.

      1. Anonymous Coward
        Anonymous Coward

        Re: Unbelievable

        Neither. It is simply the fact that bean counters are involved and as usual, the lowest price ergo the lowest quality wins out...

        1. Anonymous Coward
          Anonymous Coward

          Re: Unbelievable

          Trying to shift the blame for a poor software design process and/or bad software design decision onto accountants who wouldn't even know what a root log-in is doesn't help anyone.

          1. oldcoder

            Re: Unbelievable

            Except for the fact that the "accountants" dictate the hiring policy and won't pay for quality, testing, or design...

            1. Anonymous Coward
              Anonymous Coward

              Re: Unbelievable @Old Coder

              I'm glad someone understood my point. Unlike the 5 bean counters who down voted me!

          2. Hans 1
            Windows

            Re: Unbelievable

            Sure, it is the self-proclaimed Coding King they hired for the job who did it, however, bean counters wanna keep costs as low as possible, so, when they hire a "dev", they get the cheapest ... that usually means a Windows & Surface expert.

          3. Tom 7

            Re: Unbelievable

            I'd hazard that the accountant goons happily overrode the 'clean out any development software leaving just the production stuff' stage.

    2. Pascal Monett Silver badge
      Flame

      Re: Unbelievable

      Most certainly that was part of the testing phase.

      Apparently, when the tests were positive, they just shoved the whole thing into production without anyone giving an effing eff about whether or not they should take out the test access.

      Because obviously nobody would ever think of trying to access something wireless by using root/root as credentials, right ? It's only Samsung testers that are authorized to do that.

      1. Anonymous Coward
        Anonymous Coward

        @Pascal Monett - Re: Unbelievable

        You mean like in devops ?

    3. Charles Manning

      Re: Unbelievable

      This is pretty high security.

      Most embedded Linux systems run as

      user: root

      password <ENTER>

      But then most of these systems don't store gobs of user data.

      Of course if you're willing to void warranty and fit a serial port, its even wider than that.

  8. Anonymous Coward
    Anonymous Coward

    Telnet with root and root in 2015?!

    I fucking dispair.....

  9. Anonymous Coward
    Anonymous Coward

    Opportunity

    Surely there's at least one gear review website that includes a pen test in it's suite of review tests?

  10. Anonymous Coward
    Anonymous Coward

    Hardcoded effing passwords !

    The assholes who did this and sanctioned it need tarring, feathering and running out of town.

  11. Chairo

    Could have been worse

    They could have used "administrator" and left the password empty, like they do on most home routers...

    Honestly...

  12. Anonymous Coward
    Anonymous Coward

    15 years ago (ish) when the internet / computers / mobiles (technology I suppose) really started to become a thing for people I could understand rushing half baked products to market. The growth rate was phenomenal and a few months could make all the difference.

    This HD with a WiFi bolt on isn't a product like that though. If they'd taken a couple of months extra to make sure it was secure sales would be exactly what they are now. Better perhaps because people could trust the device. Sadly I think it'll only change with legislation making companies liable for bugs, particularly security issues, in their software. It's not a good solution and we really don't need more half baked legislation but the alternatives don't seem to work.

  13. Anonymous Coward
    Anonymous Coward

    Every time

    I see something like this, I get a little more like Charles LaRousse Dreyfus.

  14. batfastad

    IoT?

    Yeah... good luck with that.

  15. Peter Brooks 1
    Pint

    WD Passport - Wireless is the same

    It's exactly the same with the Western Digital WD Passport Wireless disc.

    The difference is that the WD Passport has the source code provided, so you can download it, find the support trapdoors, remove them, recompile and install it.

    You can remove the cruft you don't want at the same time.

  16. razorfishsl

    I just cannot wait for the IOT.....

    Currently old fridges and microwaves thrown away have no interest value.

    Soon it will have a PCB with embedded linux and wireless services to be recovered, just like the TV's that are starting to appear by the rubbish bins.

    Add into that the major stupidity of corporate software 'Engineers' and the future is looking bright,

    Most people don't know that modern refrigerators are now filled with masses of explosive gas, since the non explosive stuff was deemed to be damaging the planet, they just gave it a 'magic' name because people would not have a fridge filled with butane/propane mix in their house.

    1. Ole Juul

      modern refrigerators and flammability limit

      We're getting off topic here, but I couldn't leave this alone:

      "Most people don't know that modern refrigerators are now filled with masses of explosive gas"

      There aren't masses of explosive gas. It's a limited quantity and it's limited to an amount that when mixed with the quantity of air in a small kitchen will not form an explosive mixture. Propane, you see, will not ignite unless the gas/air mixture is within the flammability range which in this case is quite narrow. So, pure propane won't ignite, and nor will a thin mixture. Other flammable gasses like acetylene have a very wide flammability range and therefore are quite dangerous. Propane, in the quantities used in fridges, is not dangerous. (See Wikipedia: Flammability limit)

      1. Anonymous Coward
        Anonymous Coward

        Re: modern refrigerators and flammability limit

        Those fridges are dangerous, I'll tell you hwhat.

        </hank_hill>

  17. Kevin McMurtrie Silver badge

    At what point is it no longer "hacking"

    How open does a system need to be before it's no longer "hacking" to use it? Let us say that you have a big pile of money in your house next to a window. Breaking the window and stealing the money is illegal. Finding that the door is unlocked and stealing the money is still illegal. But maybe there's no house and no fence but just a pile of money with a "free money" sign along sidewalk. That's what I think of when this bug happens.

  18. Anonymous Coward
    Trollface

    Just thinking outside the box here, suppose your device automatically downloaded critical security patches? Oh wait, that's beyond wrong isn't it!

  19. Anonymous Coward
    Anonymous Coward

    Re. At what point is it no longer "hacking"

    Thinking outside the box here, maybe the FCC can clamp down and *require* owners of said drives to fix this or be not allowed to use them.

    Should scanning for vulnerable devices and alerting the owners be added to the list of Police/TSA/etc functions?

  20. f-bone

    Back-door fine

    There should be legislation forcing companies that purposely or accidentally leave such backdoors to their products pay a fine of a few million dollars... Having business secrets - no matter how small - or personal data being hacked because a stupid ass company left a backdoor is unacceptable. Ask me if I am buying Seagate again no matter how many firmware updates they release.

  21. dshan

    Better Get Used to 'Em

    Backdoors, you'd better get used to 'em. If the governments of our freedom-loving nations have their way they'll soon be compulsory.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like