An emergency firmware patch is being deployed for old Iomega Network Attached Storage (NAS) devices after they were discovered to have
that allows an attacker to read your files stored on the device over the internet. Iomega's storage range has been rebranded as LenovoEMC, but many of the older devices are still out there attached to companies networks.
Companies often use network storage as fileservers for private documents that must be kept inside the building for security and trade secret reasons, making a data breach affecting them a potentially serious threat for any company hit by an attack. Lenovo is deploying an emergency firmware patch for the Iomega storage boxes and is encouraging anyone with one of the devices to patch their equipment immediately.
An employee at Belfast-based cyber-security firm Vertical Structure made the discovery last autumn, and Vertical Structure has since worked with Silicon Valley firm WhiteHat Security to explore the vulnerability and report it to Lenovo. The storage device was found to be offering files to the internet without any kind of password or authentication checks using an unprotected API call.
Anyone familiar with the API could request files from the device without even being on the local network. Vertical Structure director Simon Whittaker commented on the find to
The Register, which reported the story yesterday: "The API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner. It is similar to millions of open [AWS] S3 buckets being discovered."
Source: The Register