07-28-2016 12:30 PM - edited 07-28-2016 12:32 PM
I'm glad to hear about your enthusiasm for ThinkPad Stack and thank you for posting about the content security issue you have come across while using the product. I am a Product Manager for ThinkPad Accessories and will share your concerns with our inernal team to see what help we can provide or what changes may need to be made.
Per an earlier post this is the issue I will be sharing with my team:
the Stack shares the content of the HDD with the entire Internet without requiring a password, even worse, this sharing is done as "root" user allowing any file being read/changed/removed by anyone with anonymous access
I will investigate this issue internally and come back to you with my findings.
07-29-2016 01:46 AM - edited 07-29-2016 01:48 AM
Thank you mneybeck!
All I said is true. I honestly believe the ThinkPad Stack is an innovative
device with huge possibilities. Its hardware quality, as usual on
Lenovo, is excellent and the device itself can fill a big gap. I plan to
use it not only to simplify deployment of wireless networks and
storage devices but also to provide an additional protection layer to
computers in case of connecting to hostile networks (e.g., filtering
the Intel ME, NFS, RPC and bootp ports). Don't know how future
firmware upgrades will be, but I do not discard using this device as an
end-point for a VPN.
Only time will say what we can do with the Stack!
As I see it there are two main security issues related to the Stack:
1. the port filtering firewall does not seem to work as expected
(while here, a "default deny" policy would be great too);
2. the Samba/CIFS server is listening on all interfaces, including WAN,
allowing privileged anonymous access to contents on the disk
(partially mitigated if formatted as ext4, as files can be protected by
means of ext4 file attributes (chattr(1)).
To reproduce the Samba sharing issue just set up a computer to act as
a DHCP server (this one will play the role of a "router" or "AP" connected
to the Internet) and connect the Stack to it using the Ethernet port and
let it autoconfigure its network settings. Then you should be able to
access the Stack HDD without using a password from the computer
playing the role of a host on the Internet.
Just log into the device (using telnet) and check the permissions of the
files created. Don't know how it will perform on an NTFS-formatted drive,
but on an ext4 it is clear the owner of the files created is "root" and no
standard permissions (using chmod(1) instead of chattr(1)) will stop this
user from modifying a directory or file that is write protected. This one is
the reason I say only chattr(1) provides a minimal protection, as file
attributes are honored by the "root" user too.
Please, let me know if you need additional information or testing.
I will listen to this thread.
07-29-2016 05:15 AM
If you welcome my advice I would suggest a simple but effective fix: the ThinkPad Stack router should never have services listening on the egress interface (e.g. the Ethernet port on a default configuration).
In other words, services like Samba/CIFS or DLNA should never listen on the interface pointed by the default route, i.e. the interface connected to the world.
10-06-2016 07:39 AM
I am sorry for bumping this thread but there had been no activity on it in the last two months and the problem described here is severe and very easy to exploit.
What is the current status of this report? No service should be listening on the egress interface. In the ThinkPad Stack the Samba/CIFS service is not only listening on the external interface but also allows unauthenticated root access to the device's HDD from anywhere.
12-06-2016 04:41 PM
I just bought this device a week ago and its being shipped to me next week - everything you have said it truly terrifying as the thought of all my private data being out there in the open broadcasted by its companion nonetheless - what was Lenovo thinking????
I hope until much more safer alternatives come up - the 1TB HDD will be primarily used for multimedia only sadly (I don't mind if you copy some good classical music, lol) I hope Lenovo can come up with some safey measures quick, I really like the concept of the Stack, but safety measures must be implemented before they can take any step further.
I hope Lenovo can keep up the good work and keep up the support.
Aleph - good job mate - keep up the good work as well!!
12-09-2016 10:15 PM
I was having a look around the router.
Looks like an mips based embedded linux but its not blindingly obvious to me
what toolchain was used and I can not find much about rtl linux in english.
Looking at the startup script in /etc/rc.d/ I noticed that /bin/startup
is called which in turn invokes any files in /var/persist/startup.
I placed a short script in there to set the timezone, hostname
and root password. I imagine a script invoking /bin/iptables could be used
to customise the firewall rules restricting wan access to the minimum.
I was interested in how using an existing wifi connection for the wan connection
worked. Even though I had the impression is was bridged its not.
The stack's wifi connections are still on 192.168.33.x so the traffic must
be routed to the wan wifi (and nat'd?)
I purchased the stack for the speaker, external drive and battery pack
(discounted was cheaper than buying each generic device separately)
so the router is for me a gift or toy.
Building a more functional busybox binary for this device might be a project.