Owners of Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and LaCie FUEL devices purchased since October 2014 will want to point a web browser to the Seagate website as soon as possible after Tangible Security identified a security vulnerability in the drives that could expose data to malicious attackers.
The LaCie FUEL drives should be of particular interest to readers of the OWC Rocket Yard Blog, as they’re offered for sale by OWC in 1TB and 2TB capacities. The drives feature their own built-in 802.11n Wi-Fi network and are useful for storing or retrieving data wirelessly, particularly in the field.
The vulnerability includes a hard-coded username and password (“root” for both) that gives attackers access to an undocumented Telnet service in the device. Telnet is used from the command line of many operating systems to log into remote computers over an Internet or local network connection. Attackers could use the flaw to take control of the remote drive, steal files from it, and even turn it into a “robot” for attacking others.
Another flaw gives attackers unrestricted file download access once in range of the device’s wireless network, while a third defect could let attackers upload malicious files to the device. If a user were to download one of the malicious files, it could compromise their Mac or PC as well.
If your device is running firmware versions 2.2.0.005 or 2.3.0.014, there’s a patch available directly from Seagate to upgrade the drive firmware to version 184.108.40.206. Seagate’s Download Finder allows the entry of your device’s serial number to determine if the firmware needs to be updated.