Non Sensitive
Data Not Encrypted at Rest (Non-Sensitive)
Overview of the Vulnerability
The device stores non-sensitive data that is not encrypted at rest. Despite the data not being directly exploitable, its accessibility due to lack of encryption allows attackers with physical access to the device to retrieve this information. This exposure could facilitate reverse engineering efforts or aid in future exploitation attempts, indirectly compromising the system's security.
Business Impact
While the data in question is classified as non-sensitive, its exposure still poses security risks. Unauthorized access to this data can provide attackers with insights into the device's operations or architecture, potentially leading to vulnerabilities being uncovered. This situation can undermine the security posture of the device, leading to increased susceptibility to targeted attacks, erosion of customer confidence, and potential reputational damage.
Steps to Reproduce
Gain physical access to the device and remove the cover as seen in the images below.
Locate the hard drive on the device, and remove it.
Using a external hard drive caddy, mount the device.
Observe that it is possible to access the filesystem, demonstrating the lack of encryption at rest.
Proof of Concept (PoC)
The following screenshot(s) demonstrate(s) this vulnerability:
{{screenshot}}
Recommendation(s)
It is recommended to encrypt all data at rest within the device to prevent the data from being viewable by a 3rd party attacker.
Guidance
Provide a step-by-step walkthrough with screenshots on how you exploited the vulnerability. This will speed up triage time and result in faster rewards. Please include specific details on where you identified the vulnerability, how you identified it, and what actions you were able to perform as a result.
Attempt to escalate the vulnerability to perform additional actions. If this is possible, provide a full Proof of Concept (PoC).
Last updated