Belfast-based Vertical Structure unearths serious Lenovo NAS vulnerability

  • Belfast cyber-security and infosec company Vertical Structure has helped expose a major vulnerability in some Lenovo file storage devices allowing attackers to read files over the internet.

    An emergency firmware patch is being deployed for old Iomega Network Attached Storage (NAS) devices after they were discovered to have a serious security vulnerability that allows an attacker to read your files stored on the device over the internet. Iomega's storage range has been rebranded as LenovoEMC, but many of the older devices are still out there attached to companies networks.
     
    Companies often use network storage as fileservers for private documents that must be kept inside the building for security and trade secret reasons, making a data breach affecting them a potentially serious threat for any company hit by an attack. Lenovo is deploying an emergency firmware patch for the Iomega storage boxes and is encouraging anyone with one of the devices to patch their equipment immediately.

    An employee at Belfast-based cyber-security firm Vertical Structure made the discovery last autumn, and Vertical Structure has since worked with Silicon Valley firm WhiteHat Security to explore the vulnerability and report it to Lenovo. The storage device was found to be offering files to the internet without any kind of password or authentication checks using an unprotected API call.

    Anyone familiar with the API could request files from the device without even being on the local network. Vertical Structure director Simon Whittaker commented on the find to The Register, which reported the story yesterday: "The API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner. It is similar to millions of open [AWS] S3 buckets being discovered."

    Source: The Register

    About the author

    Brendan is a Sync NI writer with a special interest in the gaming sector, programming, emerging technology, and physics. To connect with Brendan, feel free to send him an email or follow him on Twitter.

    Got a news-related tip you’d like to see covered on Sync NI? Email the editorial team for our consideration.

Share this story