CloudEngines Plugs Security Flaw in Pogoplug with Firmware 2.1

In my original Blog Post entitled Beware the Pogoplug I pointed out a rather serious security hole in the Cloud Engines‘ Pogoplug device. That security hole allowed public SSH access into the device, as long as the device was reachable over the Internet or a Wi-Fi connection. CloudEngines’ even published the root password you needed to access the device. That’s been fixed now.

Enter Pogoplug Firmware 2.1

Introduction:

By default now, the Pogoplug has SSH access disabled. This is a welcome improvement and is the single biggest issue I had with the old firmware. I wholly support vendors giving us root-level SSH access to our devices. It frankly makes them much more useful and interesting to people like myself, as it opens the door to modifications. However, I cannot condone leaving that door open by default and not informing users, or giving them the ability to close it. Firmware 2.1 addresses those concerns.

No sooner did I get the Pogoplug upgraded than I immediately tested SSH access. Refused. Now of course, I wanted it open again, under my terms. Here’s how to do it.

Enabling SSH Access on the Pogoplug

Access the Settings link at the top-right of your My Pogoplug page:

PogoPlug Settings

This is a new Settings panel with lots of new options, explore them at your leisure, but you want to drop down and select the Security Settings link:

PogoPlug Security Settings

Here you will find two new options:

  1. Use full security sessions: this option will fully encrypt (using HTTPS/TLS) all transmissions to and from the Pogoplug
  2. Enable SSH access for this Pogoplug

That second option is the one you want to check off. Once you do, you’ll get a pop-up prompting you for your password:

PogoPlug SSH Password

Unfortunately, this is where I ran into some problems. The page wouldn’t update. When I reloaded the My Pogoplug page, the option remained unchecked. I suspected my firewall and found I was right:

PogoPlug Enable SSH

After creating a Port Forwarding entry for port 54003 to my Pogoplug, I again checked the box and this time it took.

Conclusion:

Cloud Engines has an extremely popular device in the Pogoplug, I’m very happy they corrected this flaw.

linux nas pogoplug Security
Tweet Post Share Update Email RSS

Leader, Mentor, Challenger, Educator, Network Engineer, System Administrator, Developer, Hacker, Writer, Diver, and Technology Explorer.