On the heels of last week’s news about ransomware attacking a network-attached storage device, LenovoEMC’s Iomega NAS devices have been found vulnerable.
Earlier this week, Vertical Structure of Northern Ireland and WhiteHat Security discovered the vulnerability and notified LenovoEMC. More than 3 million total files were identified as vulnerable, including 20,055 documents, 13,677 spreadsheets, 13,972 text files and 405,395 photo files. There could be many more, because the files were identified by their extensions, according to Simon Whittaker, a director at Vertical Structure.
“Many additional could be csv, backups, accounting files, etc.,” he said. “They could have grabbed any and all files from the devices. The API is completely unauthenticated and provided the ability to list, access and retrieve the files remotely in a trivial manner. It is similar to thousands of open [Amazon] S3 buckets being discovered.”
While there is no excuse for a lack of security on the interface in today’s broadband world, it is an old codebase that may not have been originally intended for broadband use. Because of its age, it may not have been tested as thoroughly as it should have been, he said.
To Lenovo’s credit, the company issued a firmware patch for the devices as soon as it was notified of the vulnerabilities. Lenovo was quick and easy to reach, and pulled code out of retirement from three codebases to fix the problem, Whittaker said.
Yet this isn’t the first time known vulnerabilities have been discovered in Iomega. Last August, researchers at ISE Labs discovered a series of vulnerabilities that could impact its NAS devices. After taking some time to update the firmware, Lenovo informed its customers in October, explaining that attackers could exploit command-injection vulnerabilities in the operating system of the devices, allowing them to remotely take over the devices via root shell.
While these vulnerabilities are serious, they are somewhat different from the vulnerabilities discovered last week on QNAP devices. In that case, ransomware was discovered on QNAP NAS devices. The vulnerability, called eCh0raix, encrypts targeted file extensions on the NAS using AES encryption and appends an “.encrypt” extension to the encrypted files. It then demands a ransom in bitcoin.
The difference, Whittaker said, is that while the eCh0raix allows execution, the Iomega vulnerability doesn’t allow hackers to directly execute files. Instead, it can perform file manipulations.
Hackers Focusing on Storage, SMBs
Yet they do have enough similarities to form somewhat of a trend.
“First, there is a clear trend of hackers starting to focus on storage. We’ve seen it twice in the past few weeks, and we’ve also seen reports of data being stolen out of Amazon S3,” said Steve McDowell, a senior analyst at Moor Insights & Strategy. “Secondly, both of the latest vulnerabilities target relatively unsophisticated users in the small/medium/home office space who typically don’t have an IT staff.”
Vendors and users share responsibility for keeping storage devices safe.
McDowell said vendors should up their game by enabling auto-patching on consumer and small office-grade devices. They should also take greater measures to test devices more thoroughly.
At the same time, users should keep up to date on patches at all times.
“These boxes are all built on the same open-source power stacks that are powering your servers and workstations, and you don’t take security for granted on your server,” he said. “Do the same thing with your storage devices. Set a reminder and make sure you are running the latest firmware.”