Patch now before you get your NAS kicked: Iomega storage boxes leave millions of files open to the internet

API blunder exposes data, fix incoming from Lenovo


Lenovo is emitting an emergency firmware patch for Iomega NAS devices after the network-attached storage boxes were discovered inadvertently offering millions of files to the internet via an insecure software interface.

Infosec outfits Vertical Structure, based in the Northern Ireland, and WhiteHat Security, headquartered in Silicon Valley, together found and reported the vulnerability to Lenovo, we're told. If you're thinking, wow, Iomega, I didn't know they were still going: EMC bought it in 2008, and in 2013, a Lenovo-EMC joint-venture rebooted the brand as LenovoEMC gear.

We're told this file-leaking flaw was discovered last autumn by a Vertical Structure employee who found a strange bunch of files showing up in search results on Shodan.io, a website for finding all sorts of public-facing systems, from bog-standard web servers to power plant equipment and Internet-of-Things gizmos.

After some digging, Vertical Structure concluded the documents were being offered to the internet, without any password or other authentication checks, via an unprotected API call: an interface used by software to talk to each other. That means anyone aware of the API and its security shortcomings could have searched Shodan for vulnerable public-facing Iomega NAS drives, and siphoned off strangers' file systems.

"The API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner," Vertical Structure director Simon Whittaker told El Reg on Monday. "It is similar to millions of open [AWS] S3 buckets being discovered."

Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning light

READ MORE

The API was eventually tracked down to an older set of Iomega NAS boxes that were, via the dodgy interface, leaving millions of files exposed to the web. It appears the API is provided to share files over the network, as you'd expect from a network-attached storage device. Unfortunately, however, this API can be accessed without any password, which is super-bad news for those facing the public internet, as many were and still are.

"Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106," Vertical Structure and WhiteHat said in a summary of the bug, shared with El Reg ahead of its public distribution on Tuesday.

"Within these files, there was a significant amount of files with sensitive financial information including card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded LenovoEMC in a joint venture."

Of those three million files, Whittaker said 405,398 were images, 20,055 were documents, 13,677 were spreadsheets, and 13,972 were text documents.

After realizing the extent of the exposure, Vertical Structure called in WhiteHat, who ran their own investigation on the leak, and confirmed that public-facing Iomega-LenovoEMC devices were in fact spewing data onto the internet.

The two companies then alerted Lenovo to the problem, and the vendor responded by bringing the software out of retirement to address the bug. Details of the API flaw were not shared as the patch for the hole has only just landed, we understand.

In short, check you're running the latest firmware on your Iomega or LenovoEMC NAS box in order to protect against attack. Lenovo declined to comment, although a spokesperson told us it will release customer advisory on Tuesday with more information. We imagine the memo will appear here at some point. ®


Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022