Data Not Encrypted At Rest
Data Not Encrypted at Rest
Overview of the Vulnerability
The device stores data that is not encrypted at rest, compromising the confidentiality and integrity of the data. This oversight allows an attacker with physical access to the device to easily access and potentially compromise the sensitive data contained within, exposing personal information, secrets, or credentials.
Business Impact
The absence of encryption for data at rest on the device poses a significant risk to data confidentiality and integrity. This vulnerability can lead to data breaches, unauthorized access to sensitive information, and potential financial and reputational damages to the organization. It undermines the trust of customers and partners and may result in non-compliance with regulatory requirements related to data protection and privacy.
Steps to Reproduce
Gain physical access to the device and remove the cover as seen in the images below. {{screenshot}}
Locate the hard drive on the device, and remove it.
Using a external hard drive caddy, mount the device.
Observe that it is possible to access the filesystem, demonstrating the lack of encryption at rest.
Proof of Concept (PoC)
The following screenshot(s) demonstrate(s) this vulnerability:
{{screenshot}}
Guidance
Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).
Recommendation(s)
It is recommended to encrypt all data at rest within the device to prevent the data from being viewable by a 3rd party attacker.
Last updated