Jan
27

Beware the PogoPlug

by Rob Pickering on 2010 January 27

: Security

Today marks a milestone for me.  I started a blog.  I have no idea how long I’ll write this, but something I found out recently compelled me to share what I know.  I was completely and totally shocked at what I found and the implications of this security hole, in my opinion, are staggering.  I felt so compelled that I paid for a SquareSpace site and wrote this entry.

Beware the PogoPlug.

Introduction:

If you’ve been living under a rock, or just don’t frequent technology blogs and technology podcasts, then I suppose it’s possible you’ve never heard of a PogoPlug.  A PogoPlug is a small device (really small in Version 1, and medium small in Version 2) that connects to your Internet network via Ethernet and then connects to stray USB drives you have laying around.  It then has the ability to make the content of those USB drives available both on your local network as Network Attached Storage (NAS) and, more importantly, available via the Internet on a web site controlled entirely by you.  I, like many others, believed this was a great way to take USB drives I have laying around doing nothing, and convert them into useful storage for my local network as well as provide a way to share files with people elsewhere on the Internet.

I was wrong.

Bad:

The PogoPlug has open SSH access to the root account.

Badder:

The password is published on the Internet, by CloudEngines, and is easy to find with a Google search.  Just Google:  PogoPlug SSH linux.  It’ll be your first hit.  But, to save the time, I’m posting the direct URL here:  http://www.cloudengines.com/dev/linux.html In case they were to take the page down, here is an image of the site:

PogoPlug Linux Dev Page

Well Known Password Exposed

Worse:

You cannot change this password without crippling CloudEngines’ ability to upgrade your device.  Now pause for a moment.  Yes, that means that in order to upgrade your device, they are most likely SSHing into your PogoPlug, as root, and running upgrade scripts.  Yay! For what it’s worth, here are the instructions, that I got from CloudEngines, to change your root password on the PogoPlug.  Bear in mind, you will no longer get updates and will not be able to upgrade it until you’ve set the password back to the default.

Login to the PogoPlug via SSH as root, then:

# mount / -o remount,rw
# passwd
– new password at prompt
# mount / -o remount,ro

Worst:

If you opt not to change the password, then know that your PogoPlug is potentially wide open to anyone who knows this well published username and password.  Once they SSH into your PogoPlug, they have ACCESS TO ALL OF YOUR DATA.  It doesn’t matter what permissions you’ve set via the web interface, they have root access to your device and they can see everything that is connected to it AND COPY IT OFF.

Conclusion:

I’ve read lots and lots of positive comments about the PogoPlug, how easy it is to get working (despite my personal experience) and how great the overall device is for managing storage and making it available over the Internet.  However, that ease of use has a serious price, and that price is too high for me to use it.  I’ve sent mine back and CloudEngines was nice enough to provide me an RMA.

Tagged as: disgruntled, linux, nas, pogoplug, security

  • Morac

    While this certainly isn’t ideal, it’s probably not as bad as you are making it out to be. In fact the only case I can see this being a problem is if the PogoPlug is directly connected to the Internet or someone uses a PogoPlug in a public LAN environment.

    The PogoPlug device is designed to plug into your home router so you can shared drives with your LAN. Most routers have a SPI firewall which will block unsolicited inbound connections. So unless the PogoPlug is opening an incoming port on routers via UPNP (and there’s nothing in the documentation indicating it is doing so), the only way to use SSH to access the RoboPlus would be from the LAN. This still lets anyone on your LAN access your files, bypassing the security protocols in place, so I wouldn’t use a PogoPlug on a public network, but for home use it’s okay.

    So basically accessing the PogoPlug via SSH externally is a non-issue (that includes CloudEngines). So how do updates work then? I’ll get to that in a second, but first I’ll talk about how PogoPlug works. I don’t have a PogoPlug, but from reading about it, my understanding is that the PogoPlug initiates an outbound connection to CloudEngines’ servers. It needs to do so to bypass the router’s firewall since the firewall will allow outbound connections by default. From what I’ve read it is similar to a VPN connection since none of the data is stored on the CloudEngine servers. Like I mentioned, it could open an inbound port on the router via UPNP, but since not all routers support UPNP, that would restrict PogoPlug from working will all routers.

    Back to the update issue. It makes absolutely no sense for CloudEngine to SSH into the box to install updates. Not only is it impracticable, it won’t work because of the customer’s router’s firewall. This is how I would imagine it would work. The PogoPlug periodically checks the CloudEngine servers for updates. If it finds one it downloads it. Now I doubt the software on the box runs as root as it would make little sense to do so, but to install an update it the file system must be mounted as read/write. This would require root access, hence why the password is required.

    So in conclusion, yes it’s not a good idea to have a box on your LAN where the root password is widely known, but it doesn’t automatically make the device accessible to everyone on the Internet.

  • Rob Pickering

    I agree that the immediate threat can be mitigated by placing the PogoPlug behind a firewall. Unfortunately, my PogoPlug would not activate, nor work, when placed behind my firewall (Astaro Home Gateway v7).

    CloudEngine’s response was to just run my PogoPlug on the public Internet. That’s when the solution became untenable for me. How many other people have they told this too?

    Also, security is done in layers. If this device has no security (which it doesn’t), then it’s up to you to secure it. While a firewall may prevent people from the Public Internet from accessing it (assuming it’ll even work then), you now rely on your wireless network security to ensure access to your private files is secure. Are you comfortable with that? I wasn’t.

    • http://robpickering.com Rob Pickering

      UPDATE: Possible fix for Astaro Gateway Issue –

      A user named Jamy Casteel contacted me and had this advice, “What fixed the whole issue was adding the pogoplug’s IP address to the exclusions list under the Transparent Mode skip list (under web security, http/s)”.
      I also found a post here by @BAlfson that states, “If you have the Astaro using HTTP/S Proxy in “Transparent” mode. Then you need to put the IP address of the PogoPlug into the “Transparent Mode Skip List” on the Advanced Tab”.

      Hopefully, that will help folks.

      • Chimericgamer

        From what it sounds like you don’t entirely understand either the way your own network security system works, the way the PogoPlug connects (thanks for the great explanation Jed) or both.  Before you point fingers at the developers, ask yourself this:  ”Did something I configure make my setup significantly different from that of the common user”.  This in your case was your firewall system.  True, the developers might have asked you to use the device on the public network, but I doubt they would suggest doing so with your data.  With just the device you could troubleshoot your connection, and then apply settings correctly.  From here you could then put the device behind whatever security solution you prefer and attach your data.  Please do your homework before you bite the hand that feeds.

        • http://robpickering.com Rob Pickering

          The article was written over 18 months ago, a lot has changed since that time.  I also find it odd that you jumped to the conclusion that I don’t understand my network.  The point of the article was one around the security implications of allowing “root” level access with a well-known password to the PogoPlug by default (since fixed, as I pointed out in the article).  Secondly, my issue WAS the firewall, which I admitted to, however, the fact that CloudEngines support (not the developers) just told me to connect it to the Public Internet, wasn’t an appropriate solution, especially in light of the security issue the developers had caused.

          I never “pointed fingers at the developers” other than to state that having a well-known, root-level, SSH password, enabled by default, on a consumer device was a bad idea.  They thought so too, after my article, and changed it.

          In the comment posted 7 months ago, I pointed out how to get the PogoPlug to work from behind the Astaro Security Gateway.  So, again, not sure where your comment is coming from, as I believe I addressed your concerns either in the original article, or in the comments.

  • Morac

    I agree it is poorly designed as the upgrade process shouldn’t require a publicly known root password. I was just pointing out the caveats.

    As for the issue itself, the root password can be changed. It should also be possible to make it so updating doesn’t require the root password. That is if CloudEngine cares enough to make the change.

  • http://www.tonidoplug.com dyno

    You might want to checkout TonidoPlug. It doesn’t have the security caveats you are describing here.

  • http://plugapps.com Mike Staszel

    You can change the root password and get updates. CliudEngines’ API connects to "hbplug" which runs as a root user on the Pogoplug itself. HBPlug, once it knows of new firmware, downloads the upgrade scripts and runs them as root (since the process itself is run by root).

    The REAL problem is keeping the API secure. If a hacker were to make the API say "download this trojan firmware" then all Pogoplugs would be destroyed. It’s unlikely but possible.

  • Jed Putterman

    I work at Cloud Engines, the makers of Pogoplug. First, I appreciate you taking the time to write your thoughts, and your security concerns – we also take security extremely seriously. We always listen to our users, and address any real security issues or threats with great care and urgency. I would like to address the concerns you raise in this post, which will hopefully answer the open questions (and issues) raised above.

    1. Pogoplug sits behind your router on your internal network and is safe from outside access by the firewall provided by your router. Pogoplug does NOT require opening any ports or making any changes to your firewall settings. In fact, we specifically do NOT use UPnP for exactly that reason – your network should never be exposed to the outside. By not requiring any kind of network changes, opening ports, or port forwarding, Pogoplug is one of the safest remote access solutions on the market.

    2. Many common consumer electronics devices, including the most popular routers, ship with a standard username and password. They, like us, want your device to be open and available for you to make changes – again, with the knowledge that they are sitting behind your router (or they are your router) and there is no unauthorized external access allowed.

    3. At any point you can change the root password of your Pogoplug. Your Pogoplug will continue to upgrade automatically as it always has, and in fact will work exactly the same in all regards.

    4. The auto-upgrade check on the Pogoplug uses a secure handshake with the upgrade servers to find out if a new software (firmware) upgrade is available. The Pogoplug has no ability to upload software to our servers – it can only download the latest firmware, so there is no potential for a trojan style "injection" of malicious software. In the same regard, Pogoplug never accepts unsolicited requests for data, it only responds to remote access requests from the Pogoplug servers that were initiated by the Pogoplug itself, which further eliminates outside spoof attacks directed at individual Pogoplug devices.

    We will add more information to the developer section of our site over the weekend clarifying some of his issues, especially about the fact that it’s fine to change the default password and everything will continue working as always, including auto-upgrades, and that Pogoplug sits behind a router/firewall where there is no direct public access and never opens any ports, don’t use UPnP, … so publishing the password is a convenience for the owner to keep the device open, rather than a security hole in this environment. As an aside, in the March release we are adding the ability to disable/enable ssh (default will be disabled) and change the root password from the UI.

  • Rob Pickering

    My response to Jed Putterman at PogoPlug:

    1) Actually it does. I have the documentation from your own support outlining the ports that MUST BE OPENED to enable BOTH the PogoPlug to register, and the PogoPlug to work. You’re welcome to also reference ticket numbers: #3437, #3450, and #3506. These cases document BOTH that support stated the password could not be changed AND get updates, the ports that MUST be opened for it to work, and the fact that it does not work through an Astaro Home Gateway Firewall (which is not PnP compatible).

    2) Shipping with a "standard" username and password is one thing. Publishing that username and password on the web AND not providing an easy way for consumers to change that username and password is quite another. I’m pretty sure most of your users would not be comfortable with SSH, mounting filesystems RW, changing passwords at a command line, and then remounting a filesystem RO. Comparing yourself to a device that has a web GUI for changing the password isn’t valid.

    3) From your own PogoPlug support on Ticket #3437, "Please note, however, should you do this, automatic firmware updates will not occur."

    4) This is a false statement, as SSH is enabled BY DEFAULT and accepts connections from ANYWHERE. So you are relying on the end-user having a firewall to block these connections from the Internet as well as relying on the end-user to have a secure wireless and wired network to prevent these connections. It’s unacceptable to allow the ‘root’ account to SSH into the device BY DEFAULT.

    I’m very happy to hear you are addressing this blatant security hole, I only wish your device would work behind a firewall without having to open ports. Support for the Astaro Home Gateway firewall would also be appreciated.

  • Jed Putterman

    Rob, regarding your 1st and 3rd points, our support should never have told you to open ports, and for this I apologize. Pogoplug NEVER requires that a port be opened, even with common consumer firewalls running. Our only requirement is that UDP be enabled on the network and not specifically blocked and outbound TCP requests be allowed. If a specific brand of firewall is not supported then it needs to be treated as a feature request to support it by our development team, not a request to the end-user to make changes.

    Regarding auto-upgrade – if you change your password, auto upgrade will always continue to work and I have made sure that our support team has this correct information.

    If you are up for it, I’ll send you a free unit in March after the release and work with you to get Astaro properly supported.

  • Rob Pickering

    Jed,

    The purpose of my article was to alert users of the problem and to make them aware of what I perceive to be a serious security flaw. I do, and will continue to, see the value this type of solution provides to the consumer. However, it must be done with care, as making things very simple for the end user means the onus to provide security rests with the vendor.

    As such, I would be thrilled to work with CloudEngines on this solution and would like to try out the March release of the unit. Following testing, I will post a follow up article of my findings. I am also willing to work with CloudEngines on getting the Astaro Home Gateway supported, as it is a very popular end user firewall.

    Please use the contact form to provide me an email I can reach you at to discuss further.

  • Bob

    For what it’s worth, I think PogoPlug now ships with SSH access disabled, by default. You’d need to explicitly enable it if you want to SSH into the device.

    • http://robpickering.com Rob Pickering

      You are correct.  I reflected that in my March 2010 article, found here:  http://robpickering.com/?p=12

Next post: