Seagate drives at risk of data theft over hidden 'root' account

A public vulnerability disclosure warns that an attacker could remotely download files from an affected hard drive, thanks to the hard-coded default password.

A number of Seagate hard drives are vulnerable to data theft, thanks to an undocumented, in-built user account that could give an attacker remote access to the device.

"Seagate wireless hard-drives provides undocumented Telnet services accessible by using the default credentials of 'root' as username and the default password," said a public advisory posted Tuesday.

The vulnerability is just one of many flaws in three wireless hard drives manufactured by the company, the advisory said.

Other flaws included in the advisory allow an attacker to "directly download files from anywhere on the file system."

Seagate Wireless Plus Mobile Storage, Seagate Wireless Mobile Storage, and the company's LaCie Fuel hard drives are said to be affected by the flaw.

The flaws, discovered by researchers at security firm Tangible Security, are said to date back as early as October 2014, affecting firmware versions 2.2.0.005 and 2.3.0.014.

The flaws are fixable if affected devices are updated to the latest firmware. But the hard drive manufacturer didn't escape a jab from respected security researcher Kenn White, who criticized the company in a tweet on Sunday.

"People don't expect DOD-level security but, Seagate, please stop adding hidden hardcoded root logins to hard drives," White wrote.

Seagate did not respond to comment at the time of writing.