In a timely reminder I received notification from IOmega that they were potentially some issues with public facing access to their NAS products. Ironically yesterday I outlined for a client the options to best secure something like this which they were hoping to implement. As with any file or media sharing – understanding what surface you are exposing can be tricky – especially if the supplier has already made some decisions for you and that you may not fully be aware of until they highlight them.
Below is the iomega summary
Important Security Information
Security Risk Summary: Your Iomega network storage device may be at risk of being accessed by an unauthorized user if your device is visible from the Internet (for example because “remote access” is on) if you have not restricted access privileges for each of your content folders (“Shares”). Enabling the administrative security feature on the device and creating an administrator user does not by itself protect your device because it does not automatically change access privileges for existing Shares. Certain folders on your device allow access to “Everyone” if you have left the default setting as “Everyone” rather than changing to restricted access, or if you have enabled Media Sharing for the Share. Thus, for devices visible from the Internet, you must also manually restrict user access privileges for each Share (each content folder) you want protected. Iomega has issued this Security Information to elaborate on end-user instructions previously provided, and emphasize the steps necessary to help secure user content according to the desired level of access.
Security Risk Details: All Iomega network storage devices ship with settings that allow files to be shared on the customer’s network. The device ships that way in order to provide a simple setup experience for users in a home or local network environment. In a properly configured network, the network router blocks unauthorized access to the network from the Internet. On such a network, unless a remote access feature (for example, Remote Access, Personal Cloud, or Media Server) has been enabled on the Iomega device, or the user manually configures their router to port forward Internet traffic to it, the Iomega device should not be accessible, nor should it be visible from the Internet.
Your device becomes visible via the Internet if, for example: (a) there?s no firewall/router between the device and the Internet, (b) the remote access feature on the device is activated, or (c) UPnP (auto-forwarding) is engaged on the router and Personal Cloud or Media Server is enabled. If your device is visible from the Internet, and if you do not desire public access to content, and if you have not already confirmed that you have the access restrictions for each folder exactly limited as you would like, then we strongly recommend that you take the steps described below to protect it from unauthorized users.
NOTE: You need to take these steps even if you enabled the security feature on the device and created an administrator user1 because existing Shares may be set up to designate access to “Everyone” unless you list specific, more limited access; you need both security enabled, and the access to list whatever you intend (don?t list access to everyone unless you desire access for everyone). So for each folder, please be sure that your access restrictions are the restrictions you desire.
How to Avoid the Risk: As a general practice, whether you use the Iomega device or not, it is highly recommended to properly configure your home/local network to ensure that your devices and data on the network are not visible from the Internet. Resources such as www.staysafeonline.org/stay-safe-online/keep-a-clean-machine/securing-your-home-network provide information on how to secure home networks.
To protect the content on your Iomega device from unauthorized access, including when your Iomega device is visible from the Internet (because of the network configuration or if a remote access feature is enabled on the device), you must be sure you (or your device administrator) follow ALL of these steps:
- Check to ensure your device is running the latest firmware by comparing the version on your device with the Firmware Version page posted for your device on www.iomega.com/support. If you need to update your firmware, follow the instructions provided on the Firmware Version page. See the Update Firmware section below for additional information.
- Enable the administrative security feature on the device (referred to by the software as “Enable Security”) and create an administrator user. Detailed instructions for this are available on www.iomega.com/support and in the web management interface help available on your device. If your device is running firmware version 3.2.3 or above, you can access instructions using the following link: https://iomega-na-en.custhelp.com/app/answers/detail/a_id/26392
?NOTE: This step alone will not secure data in the Shares. It will only secure the device?s administrative options.
- Set up the users or groups you want to grant access to all or part of the content on your device.
- For each Share that you want to restrict access to: (a) uncheck the “Media sharing” option if it is appears in the Share information; (b) remove the checkmarks for access by user “Everyone”; (c) add the appropriate users and/or groups; and, (d) select the desired privileges associated with each such user/group.
NOTE: Any Share marked for read or read/write access by user “Everyone”, or any Share with Media Sharing checked2, is accessible by anyone who has access to your network, including via the Internet if you are using remote access and/or Personal Cloud3.
You can refer to any of the following sources for additional information on how to Enable Security and change user access settings for device Shares:
- Help files available from the device’s web management interface
- The user’s guide for your device (available to view or download from www.iomega.com/support)
- Web support for your device – go to www.iomega.com/support, select your device, and search for “security” or “managing shares”
If you encounter any difficulties while making the changes described above, or have questions regarding this security notice, contact Iomega technical support. For contact information, go to www.iomega.com/support and select Contact NAS Support.
If you have not already updated the firmware on your Iomega device to the most recent version, Iomega strongly recommends that you upgrade as soon as possible. The latest firmware version for your device includes an important security update that resolves a (different) potential remote access vulnerability. For additional information, review the ReadMe.txt file included with that update.
To download and install updated firmware, go to www.iomega.com/support and select your Iomega product. Select an operating system if requested. Select the Firmware Version page under “Download Software & Drivers”.
NOTE: If the support section for your product does not have a Firmware Version page, your device is running the latest firmware version. Again, even with the latest firmware version, you should be sure that your “access permissions” are exactly what you desire.
Iomega Technical Support
1When you enable the security feature, you create an administrator for your device. It locks the management interface so only administrator users can change settings. With the security feature enabled, administrator users can set up users and/or groups and limit authorized access to content/Shares on the device. If the device has the latest firmware, any Share created after security is enabled will be accessible only by administrators until an administrator assigns access privileges to selected users and groups. Shares that were present on the device before security was enabled will remain accessible by anyone until an administrator unchecks user “Everyone” and assigns specific access privileges.
2When Media Sharing is enabled on a Share, all media files stored in that Share will be available to everyone whether or not access restrictions have been set on that Share. For additional information on Internet security issues when using the Media Server feature on your Iomega network device, see https://iomega-na-en.custhelp.com/app/answers/detail/a_id/29924.
NOTE: Media Sharing is not available on all Iomega network devices.
3If the software version you are using permits you to set to up a remote access password for your Iomega Personal Cloud and you?ve properly done so, you should still follow the above steps if you later decide to enable administrative security and create an administrator user (for instance, to limit Share-level access by users inside the firewall, or assign different rights to users accessing the device remotely).