NAS security review: Synology DS1515+ running DSM 5.1-5022

Network attached storage vendor Synology claims to have improved its handling of security issues following last year’s ransomware attacks on its users. CSO Australia and Enex Test Lab put its latest version of DiskStation Manager (DSM) on the new Synology DS1515+ hardware through its paces.

Cybercriminals like low-hanging fruit and last year they set their sights on NAS devices manufactured by Taiwan-based Synology.

Early in the year, hackers took over an unknown number of Synology NAS devices to form a distributed crypto-currency mining rig that earned an estimated $600,000 in just two months. Researchers at Dell SecureWorks said it became the “single most profitable, illegal mining operation” to date. The problem was tracked to an unauthorised application running on affected systems.

The first round of attacks would turn out to be a mild annoyance compared to the next wave. In August, hackers struck Synology users again, only this time with a custom piece of ransomware that encrypted potentially terabytes of each victim’s files. Since NAS devices are designed with a capacity in mind, a hacked NAS offers the attackers fairly persuasive leverage when demanding $350 for the decryption key.

In this case, the attackers appeared to have exploited two flaws that Synology had released fixes for but were not applied by users. Clearly there was some room for improvement on Synology’s part to ensure users were running up to date systems. 

Synology released its new 5-bay NAS, the DS1515+, in November running DSM 5.1 and has promised it is “fully guarded against known challenges with automatic security updates”. It also promised hassle-free auditing with the Security Advisor tool “for bullet protection”.

They’re bold claims given the issues users faced last year, so CSO Australia and Enex TestLab put them to the test. Here’s what we found. 

Pen-testing the Synology DS1515+ with DSM 5.1

The unit is a Plus model and is really powerful as a result. For just over $1000 it’s a little expensive for the hardware but with the ease of use and lack of manual configuration it could be worth it.

The evaluation unit shipped with five 500 GB Western Digital Blacks, admittedly very fast drives.

Delivering DSM

The unit we reviewed doesn’t come with firmware; you must download the newest one from the internet, which is good in that you avoid old versions being installed by default. The 186 MB download is a sensible size for most internet links and can be uploaded via a web browser if the Synology NAS isn’t Internet-connected.

Unfortunately, DSM firmware is unsigned and downloaded over unencrypted HTTP, which could allow a malicious Man In The Middle to modify or provide their own version of DSM. The lack of signing may be an intentional trade-off by Synology to allow the IT savvy customise their NAS with ease, but leaves the door wide open to state sponsored espionage.

Passwords and patching

Synology have been regularly patching DSM 5.x to fix any exposed vulnerable services. For the NTP vulnerabilities in December they were only a few days behind Cisco. This is a good improvement over older DSM versions which had updates less frequently (such as those affected by the Synolocker ransomware).

the NTP vulnerabilities in December: 

The downside is that there is no quality checks on password creation. The built-in Security Advisor tool will tell you about lacking passwords, but only if you think to run it. It would be nice if it had standard ‘this password is weak’ warnings which have become commonplace for websites.

Update options for operating system are “always update automatically”, “apply critical updates automatically” and “download but ask me “. This encourages users to keep themselves up to date. This gets our tick of approval.

On the other hand, the packages that run on Synology DSM aren’t set to automatically update by default, and they potentially provide a big attack surface if you install Wordpress and all the other bells and whistles. Administrators can however easily enable automatic updates.

The NAS is quite careful about what it exposes publicly, but an end user could still do something silly on their router (as is most of the instances of SME compromise we see). This isn’t Synology’s fault and is the nature of the market unfortunately. Check all of your publicly facing IP addresses for unexpected/unneeded exposed services periodically – this goes for sole traders up to ASX100.

Synology's Security Advisor is helpful, but is it bulletproof?

Synology now include a “Security Adviser” which gives you a quick way to look for any insecure configurations you may have enabled. While this doesn’t replace a security expert reviewing your environment it is a lot better than most general IT support will manage. This can be run on a schedule and alert you to any new issues (such as a user setting a bad password).

Synology also allows for local encrypted folders. This would be a great idea for business documents and prevents disclosure of documents following a physical theft of the NAS.

Cloud sync — a feature that allows users to sync to public clouds such as Dropbox and Google — and other backup mechanisms when enabled, means you are safer from ransomware infections of your users. Built in local backups also give a level of protection but won’t help you in the case of multiple drive failure, fire or theft. With DSM able to encrypt Cloud backups, and considering cloud hosting, you’d be mad not to use it in an SME setting for added piece of mind.

Another positive sign is that packages have cryptographic signing and the user can determine who to trust. This is a nice touch. If you wish to go outside of the Synology ecosystem, ‘ipkg’ packages are also supported for more esoteric software options. We haven’t evaluated Synology’s approval process but based on the documentation they are making a good effort to keep malware out of their ecosystem.

The verdict

All in all the Synology DSM operating system and 1515+ NAS unit appeared to be a great mix of security, flexibility and ease of use. Outside of going to an Apple iOS style model of “app store only” they have provided an ecosystem of trusted applications to run on the NAS. Based on our evaluation we would recommend Synology NASes for businesses who don’t need a dedicated IT infrastructure but still require a local file server.

Join the CSO newsletter!

Error: Please check your email address.

Tags pen-testingEnex TestLabSynology NASDiskStation Managercybercrimedecryption keyssynology

More about AppleBuiltCiscoCSODellDropboxEnex TestLabGoogleNASSecureWorksSynologyWestern Digital

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place