Network-attached storage devices more vulnerable than routers, researcher finds

A security review found serious vulnerabilities in 10 popular NAS systems

A security review of network-attached storage (NAS) devices from multiple manufacturers revealed that they typically have more vulnerabilities than home routers, a class of devices known for poor security and vulnerable code.

Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, is in the process of analyzing NAS devices from 10 manufacturers and has so far found vulnerabilities that could lead to a complete compromise in all of them.

"There wasn't one device that I literally couldn't take over," Holcomb said Wednesday during a talk at the Black Hat security conference in Las Vegas, where he presented some of his preliminary findings. "At least 50 percent of them can be exploited without authentication," he said.

The devices he evaluated are: Asustor's AS-602T, TRENDnet's TN-200 and TN-200T1, QNAP's TS-870, Seagate's BlackArmor 1BW5A3-570, Netgear's ReadyNAS104, D-LINK's DNS-345, Lenovo's IX4-300D, Buffalo's TeraStation 5600, Western Digital's MyCloud EX4 and ZyXEL's NSA325 v2.

So far, the security organization MITRE has assigned 22 CVE (Common Vulnerabilities and Exposures) identifiers for the issues the researcher has found, but the project has just begun and he expects to find many more by the end of the year. These devices are far worse than routers, he said.

Holcomb led a similar study last year that identified over 50 vulnerabilities in popular SOHO routers. He expects the number of vulnerabilities identified in NAS systems to far exceed those he found in routers by the time his new project is over.

The type of issues he found in the NAS systems include command injection, cross-site request forgery, buffer overflows, authentication bypasses and failures, information disclosure, backdoor accounts, poor session management and directory traversal. By combining some of these vulnerabilities, attackers can gain a "root shell" on the devices, allowing them to execute commands with the highest possible privilege.

Holcomb demonstrated such attacks during his Black Hat presentation against the D-Link, Netgear, Buffalo and TRENDnet NAS devices. He also disclosed a backdoor account on the Seagate device and deterministic cookie generation on the Asustor product.

All the vulnerabilities found so far were reported to the vendors, but the release of patches for them can take months, Holcomb said. The issues presented at Black Hat had not yet been fixed, so they can be considered zero-days, he said.

There are obvious differences in what can be done by compromising NAS devices and compromising routers. By controlling a router an attacker could capture and modify Internet traffic for a network, while hacking into a NAS system could provide access to potentially sensitive information stored on it.

A router is more likely to be accessible from the Internet than a NAS system, but this doesn't mean that NAS devices are not being targeted by attackers.

Researchers from Dell SecureWorks reported in June that a hacker made over US$600,000 by hacking into Synology NAS devices and using them to mine Dogecoin, a type of cryptocurrency. More recently, some Synology NAS device owners reported that their systems had been infected by a file-encrypting malware program called SynoLocker.

By compromising a NAS device an attacker could also hijack traffic from other devices on the same network by using techniques like ARP spoofing, Holcomb said.

A big concern is that many NAS vendors use the same code base for their high-end and low-end devices, the researcher said. That means the same vulnerabilities in a low-cost NAS device designed for home use could exist in a much more expensive NAS system designed for enterprise environments.

Paying more money for a device does not mean it has better security, Holcomb warned.

Independent Security Evaluators has partnered with the Electronic Frontier Foundation to organize a SOHO router hacking contest at the DefCon security conference later this week, primarily to raise awareness about the poor security state of such devices. Holcomb's new research suggests other embedded devices fare even worse.

Join the CSO newsletter!

Error: Please check your email address.

Tags TRENDnetZyxelQNAP SystemsExploits / vulnerabilitiesIndependent Security EvaluatorsBuffalo TechnologySeagate TechnologyintrusionsecuritynetgearAccess control and authenticationASUSTORD-Linkdata protectionwestern digital

More about BaltimoreBuffaloDellD-Link AustraliaElectronic Frontier FoundationLenovoNASNetgear AustraliaQNAPSeagateSecureWorksSynologyTRENDnetWestern DigitalZyXEL

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place