An analysis conducted by researchers at Vertical Structure and WhiteHat Security allowed discovering a vulnerability in discontinued Iomega/Lenovo NAS devices, tracked as CVE-2019-6160, that exposed millions of files.
The discovery was made in the fall of 2018 querying the Shodan search engine and revealed 5,114 devices storing over 3 million files. The issue exposed roughly 20,000 documents, 13,000 spreadsheets, 13,000 text files and 405,000 pictures. Some of the documents contained sensitive information, including card numbers and financial records.
The experts believe the actual number of exposed systems could be
“Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106.” states a blog post published by WhiteHat Security.
“Within these files, there was a significant amount of files with sensitive financial card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture.”
The vulnerability could have been exploited by a remote,
The exploitation of the issue could be automated by developing a script that scans the internet for vulnerable Iomega/Lenovo NAS devices and sends crafted requests to the vulnerable ones.
After the researchers
“A vulnerability in Iomega and LenovoEMC NAS products could allow an
In October 2018, experts at Lenovo discovered nine vulnerabilities affecting discontinued Iomega and LenovoEMC NAS devices that could be exploited by