A vulnerability in an Lenovo-EMC Iomega external HDD API resulted in a huge data leak of more than three million files, according to research partners Vertical Structure and WhiteHat Security.
The researchers uncovered the vulnerability in late 2018, having noticed "a pattern of unmarked files that looked out of place" in a Shodan.io search. It was found that Lenovo-EMC Iomega external hard drives were leaking information through specially crafted requests via an API but not through their web interface.
In total 36 terabytes of data was found to have leaked, according to the researchers: "The number of files in the index totaled 3,030,106. Within these files, there was a significant amount of files with sensitive financial information including card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture."
Lenovo responded with best-practice in remediating a vulnerability, according to the researchers, pulling three versions of its software out of retirement to tide users over while a patch was created, as well as investigating old software for other potential vulnerabilities. The issue has been patched by Lenovo and detailed here.
"Lenovo’s professional approach to vulnerability disclosure offers a good lesson for other organisations who experience similar challenges. Not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it", said the researchers.
It is certainly not the first time that trusted storage devices have turned out to be less secure than presumed, with a previous disclosure of multiple security weaknesses in the Web UI of Iomega and LenovoEMC NAS products detailed here in 2018.
The vulnerability disclosure comes just days after an Italian security research team found nine different security vulnerabilities in Lenovo server infrastructure, two of which were high-severity flaws. Team Swascan detailed the vulnerabilities in a blogpost, and also noted that "Lenovo’s attention to our discoveries together with the email exchanges, the evaluations, the remediation activities, and the resolution times were among the most serious, professional, and transparent that we have witnessed in our careers".