‘Online backups of Hema USB sticks were publicly accessible’
The files that users of USB+ memory sticks from HEMA placed online via the backup program intended for that purpose were accessible to everyone, the Hague hackerspace Revspace discovered. HEMA has withdrawn the sticks from the market.
Anyone who used online storage with the USB stick has in theory thrown out his name, address, telephone number, password and content of files, Revspace claims based on its own research. According to the hackers, users should be aware of identity theft.
Buyers of the USB+ memory sticks could make online backups of files with a program on the stick. For this purpose, the software created folders on the stick whose contents were automatically synchronized. Users had to sign up for this via a site whose connection was not properly secured. Remarkably, the registration information was emailed to a Gmail address, from the address [email protected]. The domain Appstore.com is actually owned by Apple, which has nothing to do with the proceedings.
The installed Windows application internally communicated completely unencrypted with Amazon’s servers, on whose S3 storage the files ended up. “Everyone who can tap your connection can read along: your network administrator, your internet provider, investigation services, but also people with your WiFi password,” writes Revspace.
The software on the server contained multiple vulnerabilities and was vulnerable to SQL injection, among other things. However, downloading users’ files was already ‘child’s play’, in Revspace’s words, for anyone who knew or could guess the username and file name: they could be reached via https addresses.
Finally, the source code of the server application, including important password, was on the street. HEMA uses the services of a supplier for the USB sticks. HEMA would have been informed in July, but there are still various security problems at the supplier. However, the USB sticks have since been withdrawn from the market and the registration of new users has stopped. HEMA reports to Nu.nl that it is in contact with the supplier and an independent consultancy “to ensure that this product meets the requirements that we and our customers are allowed to set.”