Mar
25

CloudEngines Plugs Security Flaw in Pogoplug with Firmware 2.1

by Rob Pickering on 2010 March 25

: Security

In my original Blog Post entitled Beware the Pogoplug I pointed out a rather serious security hole in the Cloud Engines‘ Pogoplug device. That security hole allowed public SSH access into the device, as long as the device was reachable over the Internet or a Wi-Fi connection. CloudEngines’ even published the root password you needed to access the device. That’s been fixed now.

Enter Pogoplug Firmware 2.1

Introduction:

By default now, the Pogoplug has SSH access disabled. This is a welcome improvement and is the single biggest issue I had with the old firmware. I wholly support vendors giving us root-level SSH access to our devices. It frankly makes them much more useful and interesting to people like myself, as it opens the door to modifications. However, I cannot condone leaving that door open by default and not informing users, or giving them the ability to close it. Firmware 2.1 addresses those concerns.

No sooner did I get the Pogoplug upgraded than I immediately tested SSH access. Refused. Now of course, I wanted it open again, under my terms. Here’s how to do it.

Enabling SSH Access on the Pogoplug

Access the Settings link at the top-right of your My Pogoplug page:

PogoPlug Settings

This is a new Settings panel with lots of new options, explore them at your leisure, but you want to drop down and select the Security Settings link:

PogoPlug Security Settings

Here you will find two new options:

  1. Use full security sessions: this option will fully encrypt (using HTTPS/TLS) all transmissions to and from the Pogoplug
  2. Enable SSH access for this Pogoplug

That second option is the one you want to check off. Once you do, you’ll get a pop-up prompting you for your password:

PogoPlug SSH Password

Unfortunately, this is where I ran into some problems. The page wouldn’t update. When I reloaded the My Pogoplug page, the option remained unchecked. I suspected my firewall and found I was right:

PogoPlug Enable SSH

After creating a Port Forwarding entry for port 54003 to my Pogoplug, I again checked the box and this time it took.

Conclusion:

Cloud Engines has an extremely popular device in the Pogoplug, I’m very happy they corrected this flaw.

Tagged as: linux, nas, pogoplug, security

  • Todd Whitehead

    What about the iOmega iConnect? According to what I’ve read, the iConnect functions similarly to the PogoPlug. Some of the things that it does that I’m unsure whether the pogo plug does:
    1. Can host Time Machine backup volumes.
    2. Can run bittorrent downloads without a computer.
    3. Can stream media as a UPNP, DLNA or iTunes server.
    4. Has a button on the front that can be configured to automatically copy files from one location to another (the destination can be another drive on the iConnect or another location on your network.).
    5. Supports up to 2 printers.
    6. Has 4 USB ports.
    7. Is only $99.
    8. Has a gigabit port, but can also connect to your network via wireless B/G/N.

    What are people’s thoughts about the PogoPlug vs. the iConnect?
    -Todd

  • http://www.facebook.com/jkomut Jason Komutrattananon

    This caused me some frustration. The firewall was causing problems with port 54003 and I could not figure it out for the longest time.

Previous post:

Next post: