Click For Photo: https://regmedia.co.uk/2017/03/03/spy-desk.jpg
Lenovo is emitting an emergency firmware patch for Iomega NAS devices after the network-attached storage boxes were discovered inadvertently offering millions of files to the internet via an insecure software interface.
Infosec outfits Vertical Structure, based in the Northern Ireland, and WhiteHat Security, headquartered in Silicon Valley, together found and reported the vulnerability to Lenovo, we're told. If you're thinking, wow, Iomega, I didn't know they were still going: EMC bought it in 2008, and in 2013, a Lenovo-EMC joint-venture rebooted the brand as LenovoEMC gear.
Flaw - Autumn - Structure - Employee - Bunch
We're told this file-leaking flaw was discovered last autumn by a Vertical Structure employee who found a strange bunch of files showing up in search results on Shodan.io, a website for finding all sorts of public-facing systems, from bog-standard web servers to power plant equipment and Internet-of-Things gizmos.
After some digging, Vertical Structure concluded the documents were being offered to the internet, without any password or other authentication checks, via an unprotected API call: an interface used by software to talk to each other. That means anyone aware of the API and its security shortcomings could have searched Shodan for vulnerable public-facing Iomega NAS drives, and siphoned off strangers' file systems.
API - Ability - List - Access - Files
"The API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner," Vertical Structure director Simon Whittaker told El Reg on Monday. "It is similar to millions of open [AWS] S3 buckets being discovered."
The API was eventually tracked down to an older set of Iomega NAS boxes...
Wake Up To Breaking News!