security

Previous Thread | Next Thread

Learn about scoring Forum's Raw Score: 59184.4

September 12, 2011 06:04 PM

Categories: Hard Drives / Storage

Rating (0 votes)

Rate This!

reneeaz

Member
Joined: 09/12/2011

have read online that pogoplug is not secure and the passwords given are actually easily accessible online:

See what was written below:

Bad:

The PogoPlug has open SSH access to the root account.

Badder:

The password is published on the Internet, by CloudEngines, and is easy to find with a Google search. Just Google: PogoPlug SSH linux. It’ll be your first hit. But, to save the time, I’m posting the direct URL here: http://www.cloudengines.com/dev/linux.html In case they were to take the page down, here is an image of the site:

Well Known Password Exposed

Worse:

You cannot change this password without crippling CloudEngines’ ability to upgrade your device. Now pause for a moment. Yes, that means that in order to upgrade your device, they are most likely SSHing into your PogoPlug, as root, and running upgrade scripts. Yay! For what it’s worth, here are the instructions, that I got from CloudEngines, to change your root password on the PogoPlug. Bear in mind, you will no longer get updates and will not be able to upgrade it until you’ve set the password back to the default.

Login to the PogoPlug via SSH as root, then:

# mount / -o remount,rw
# passwd
– new password at prompt
# mount / -o remount,ro

Worst:

If you opt not to change the password, then know that your PogoPlug is potentially wide open to anyone who knows this well published username and password. Once they SSH into your PogoPlug, they have ACCESS TO ALL OF YOUR DATA. It doesn’t matter what permissions you’ve set via the web interface, they have root access to your device and they can see everything that is connected to it AND COPY IT OFF.

Conclusion:

I’ve read lots and lots of positive comments about the PogoPlug, how easy it is to get working (despite my personal experience) and how great the overall device is for managing storage and making it available over the Internet. However, that ease of use has a serious price, and that price is too high for me to use it. I’ve sent mine back and CloudEngines was nice enough to provide me an RMA.

Moderator Note: Post edited to delete copyright infringement.

Discussion:

Brandon C

Lead Moderator

member since: 04/21/2009
rank: 1 of 13233
18 articles authored
22 forum threads started
668 comments

September 12, 2011 8:16 PM

Two things. No one via WAN can access your Pogoplug regardless of its SSH password if port 22 is not open to it on your router.

You can test and see if your port 22 is open on your router by using an online port test tool like this one. Enter 22 in the box and click to check.
http://placeshiftingenthusiasts.com/tool-to-check-for-open-ports/

Also even if the port is open you have to turn on SSH from the settings page and you have to use the default password that someone might know. You can change the password to something other than default on the same page.

If someone is on the same LAN as you they could access, regardless of a port forward setup but again only if you have it turned on and only if you didn't change the default password.

If you are concerned about it just don't turn SSH on. While on the topic Telnet is off by default and you are not able to turn it on via the settings page.

Place Shifting Enthusiasts