Patch now before you get your NAS kicked: Iomega storage boxes leave millions of files open to the internet
API blunder exposes data, fix incoming from Lenovo
Lenovo is emitting an emergency firmware patch for Iomega NAS devices after the network-attached storage boxes were discovered inadvertently offering millions of files to the internet via an insecure software interface.
Infosec outfits Vertical Structure, based in the Northern Ireland, and WhiteHat Security, headquartered in Silicon Valley, together found and reported the vulnerability to Lenovo, we're told. If you're thinking, wow, Iomega, I didn't know they were still going: EMC bought it in 2008, and in 2013, a Lenovo-EMC joint-venture rebooted the brand as LenovoEMC gear.
We're told this file-leaking flaw was discovered last autumn by a Vertical Structure employee who found a strange bunch of files showing up in search results on Shodan.io, a website for finding all sorts of public-facing systems, from bog-standard web servers to power plant equipment and Internet-of-Things gizmos.
After some digging, Vertical Structure concluded the documents were being offered to the internet, without any password or other authentication checks, via an unprotected API call: an interface used by software to talk to each other. That means anyone aware of the API and its security shortcomings could have searched Shodan for vulnerable public-facing Iomega NAS drives, and siphoned off strangers' file systems.
"The API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner," Vertical Structure director Simon Whittaker told El Reg on Monday. "It is similar to millions of open [AWS] S3 buckets being discovered."
Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning lightREAD MORE
The API was eventually tracked down to an older set of Iomega NAS boxes that were, via the dodgy interface, leaving millions of files exposed to the web. It appears the API is provided to share files over the network, as you'd expect from a network-attached storage device. Unfortunately, however, this API can be accessed without any password, which is super-bad news for those facing the public internet, as many were and still are.
"Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106," Vertical Structure and WhiteHat said in a summary of the bug, shared with El Reg ahead of its public distribution on Tuesday.
"Within these files, there was a significant amount of files with sensitive financial information including card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded LenovoEMC in a joint venture."
Of those three million files, Whittaker said 405,398 were images, 20,055 were documents, 13,677 were spreadsheets, and 13,972 were text documents.
After realizing the extent of the exposure, Vertical Structure called in WhiteHat, who ran their own investigation on the leak, and confirmed that public-facing Iomega-LenovoEMC devices were in fact spewing data onto the internet.
The two companies then alerted Lenovo to the problem, and the vendor responded by bringing the software out of retirement to address the bug. Details of the API flaw were not shared as the patch for the hole has only just landed, we understand.
In short, check you're running the latest firmware on your Iomega or LenovoEMC NAS box in order to protect against attack. Lenovo declined to comment, although a spokesperson told us it will release customer advisory on Tuesday with more information. We imagine the memo will appear here at some point. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Semiconductor Memory
- Snowflake Inc.
- Trusted Platform Module
- Zero trust