Seagate wireless hard drives have a hidden root account

A number of Seagate wireless hard drives have a hidden root account which make them vulnerable to hackers and an attacker could gain remote access to the device.

The flaw was discovered by researchers at security firm Tangible Security and are said to be present as early as October 2014, affecting firmware versions 2.2.0.005 and 2.3.0.014..

Seagate wireless hard drives provides undocumented Telnet services accessible by using the default credentials of ‘root’ as a username and the default password,” a public advisory  explained.

Other vulnerabilities include:

  • Unrestricted Upload of File with Dangerous Type
  • Direct Request (‘Forced Browsing’)

According to US-CERT public advisory, these vulnerabilities are present in three models which are manufactured by Seagate.

  • Seagate Wireless Plus Mobile Storage
  • Seagate Wireless Mobile Storage
  • LaCie FUEL

The flaw can be fixed if you upgrade the device firmware to the latest version 3.4.1.105