September 29, 2017 |

Flaws in NAS Firmware expose users to ‘massive compromise’

F-Secure researchers find multiple vulnerabilities in a NAS device that attackers can use to steal data and passwords, or even remotely execute commands.   Berkshire, UK – 17th January 2017: F-Secure researchers have discovered three vulnerabilities in a network attached storage (NAS) device made by QNAP Systems Inc. The cyber security company warns that attackers […]

F-Secure researchers find multiple vulnerabilities in a NAS device that attackers can use to steal data and passwords, or even remotely execute commands.


Berkshire, UK – 17th January 2017: F-Secure researchers have discovered three vulnerabilities in a network attached storage (NAS) device made by QNAP Systems Inc. The cyber security company warns that attackers can exploit these vulnerabilities to seize control of these devices. The findings may apply to millions of devices currently in use, and continues a worrying trend of insecure products leaving users exposed to online threats.

Researchers found the flaws during an examination of QNAP’s TVS-663 NAS device. The investigation found that attackers could use vulnerabilities in the device’s firmware update process to seize administrative control. This degree of control would give them the same rights as legitimate administrators, allowing attackers to do things like install malware, access content and data, steal passwords and even remotely execute commands.

Harry Sintonen, senior security consultant at F-Secure, developed a proof-of-concept exploit to confirm that these vulnerabilities could be exploited by attackers. “Many of these types of vulnerabilities are not severe on their own. But attackers able to put them together can cause a massive compromise,” said Sintonen. “Successful hackers understand that even small security oversights can become big opportunities with the right know-how.”

Sintonen’s proof-of-concept begins when the device sends unencrypted requests for firmware updates back to the company. This lack of encryption allows potential attackers to intercept and modify the response to that request. Sintonen took advantage of this weakness by serving the device with an exploit disguised as a firmware update. The phony firmware update Sintonen created tricks the device into automatically attempting to install it. And while the fake update is never actually installed, the exploit uses a flaw in the process to produce a full system compromise.

According to Sintonen, stealing or altering data is trivial for an attacker able to leverage these vulnerabilities the same way he did. “All you really have to do is tell the device that you have a newer version of its firmware. And because the update request is done without encryption, that’s not very difficult to do. After that, basically anything an attacker wants to do is like taking candy from a baby.”

While Sintonen limited his investigation to QNAP’s TVS-663, he suspect’s models using the same firmware possess the same issues. Based on this, Sintonen estimates that over 1.4 million devices could be vulnerable, although he admits the number could be much higher.

“We found 1.4 million devices by researching firmware versions currently in use. But since many people never update their firmware, the actual number could be much higher. Possibly millions,” said Sintonen.

Advice for affected users

F-Secure notified QNAP about these issues in February 2016. However, as of the time of this writing, F-Secure researchers were not aware of any fix made available by QNAP. Without a patch issued by the company, there is no way to permanently fix affected devices.

But according to F-Secure’s cyber security expert Janne Kauhanen, there is a silver lining in this case. “Problems like these are incredibly common for internet-connected devices, so we’re all constantly buying products that have these security issues. But in this case, attackers first need to put themselves between the update server and user, and this extra step is enough work to discourage many opportunistic or low-skilled attackers,” said Kauhanen. “But we’ve seen cases where motivated attackers have used similar security issues to do recon in preparation of a phishing campaign, or hide their presence in networks, so they can still do some real damage.”

There are ways users can protect themselves while they wait for a permanent fix. Anyone using QNAP’s TVS-663 or other devices running the same firmware (QTS firmware 4.2 or later) should disable automated firmware update checks, and perform the check manually with secure sources until the problem is fixed.  Kauhanen recommends anyone using an affected device for work or tasks involving sensitive information implement these temporary measures to protect themselves.

The vendor and authorities have been made aware of this vulnerability well before this public disclosure.


More information:

The IoT needs Vulnerability Research to Survive

About F-Secure

Nobody knows cyber security like F-Secure. For three decades, F-Secure has driven innovations in cyber security, defending tens of thousands of companies and millions of people. With unsurpassed experience in endpoint protection as well as detection and response, F-Secure shields enterprises and consumers against everything from advanced cyber attacks and data breaches to widespread ransomware infections. F-Secure’s sophisticated technology combines the power of machine learning with the human expertise of its world-renowned security labs for a singular approach called Live Security. F-Secure’s security experts have participated in more European cyber crime scene investigations than any other company in the market, and its products are sold all over the world by over 200 broadband and mobile operators and thousands of resellers.


Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd. |


F-Secure media relations 

Geoff Dorrington

PR manager, F-Secure UK & Ireland


T: 01753 376592








Latest Events
Press Archives
Select Year

Latest Press Releases

March 15, 2018

F-Secure’s Aviation Cyber Security Services Takes Off

F-Secure’s new service combines expertise in aviation and cyber security to help aviation companies protect their most critical assets. Buckinghamshire, UK – March 15, 2018: Trust is everything in the aviation industry. And a successful cyber attack – even a minor one against something like an in-flight entertainment system – could undermine confidence in airlines […]

February 28, 2018

F-Secure Introduces Unique Partner-Driven Service to Stop Targeted Cyber Attacks Globally

Channel partners have immense new service opportunities to protect their customers from rising numbers of targeted and fileless attacks with a leading-edge managed endpoint detection and response service. Buckinghamshire, UK – February 28, 2018: Businesses globally are being compromised by an onslaught of targeted and fileless cyber attacks, and industry-leading cyber security vendor F-Secure is […]

February 22, 2018

Incident Detection, Email Attacks Continue to Cause Headaches for Companies

F-Secure’s new Incident Response Report points to email inboxes as the weakest link in security perimeters, and finds that companies struggle with quickly and accurately detecting security incidents. Buckinghamshire, UK – February 22, 2018: Over one-third of all security incidents start with phishing emails or malicious attachments sent to company employees, according to a new […]

February 14, 2018

F-Secure appoints Beta Distribution as a UK distributor of security solutions for corporate resellers

Buckinghamshire, UK – 14th February 2018: Global cyber security company F-Secure today announces the appointment of Beta Distribution as a UK distributor for corporate resellers. Beta Distribution, Headquartered in London and with offices throughout the UK, is a specialist product, services and solutions IT distributor which serves over 3,000 resellers across the UK, including over […]

%d bloggers like this: