September 29, 2017 |

New NAS vulnerabilities are pretty much as bad as they get

If you have a QNAP network attached storage (NAS) device, you’d better make sure the firmware is updated. Earlier this year, F-Secure senior security consultant Harry Sintonen presented research on a series of vulnerabilities he found in a QNAP network attached storage (NAS) device. Unfortunately, Harry discovered more problems since then. And his newer discoveries […]

If you have a QNAP network attached storage (NAS) device, you’d better make sure the firmware is updated.

Earlier this year, F-Secure senior security consultant Harry Sintonen presented research on a series of vulnerabilities he found in a QNAP network attached storage (NAS) device. Unfortunately, Harry discovered more problems since then. And his newer discoveries are considerably more serious.

“The previous vulnerabilities I found were only useful to an attacker that put themselves between QNAP servers and their targets. That’s a difficult enough step to discourage most attackers from using those vulnerabilities as part of a widespread attack,” said Harry. “But that’s not the case with what I’ve found more recently.”

Harry’s advisory gives a technical deep dive of the new vulnerabilities he found. But basically, they allow attackers to remotely take over the device by using what’s known as a “command injection”. And that’s exactly what it sounds like: an attacker remotely inserts commands for your NAS device to run.

Not only does this allow attackers to access any data the device contains, but they can also do things like delete information, lock out other users (including the device owners), hijack the device for use in further attacks, and pretty much whatever else they want.

Or, as F-Secure cyber security expert Janne Kauhanen puts it, this is pretty much as bad as vulnerabilities get. “These vulnerabilities are easy, attractive targets for attackers. They don’t require any special hacking kung-fu, like special access privileges, to use. Attackers can use vulnerabilities like this to fully compromise the security of the device, as well as the confidentiality of any information it contains.”

And to make matters worse, exposed NAS drives give attackers an opportunity to be a lot more creative about their scams. “A storage device like this can basically be used like an online server,” explains Janne. “It’s easy for attackers to store anything on your device, to run any kind of service from there. From a web shop selling dubious goods or services, to an attack platform launching further attacks all over the internet, leaving you to explain why the attacks originate from your home. Or they can plant some compromising material on your NAS device and use it to blackmail you – what Russians call ‘kompromat’.”

“Online extortion is hugely successful, and in scenarios like this, it doesn’t matter whether or not you actually do something wrong. The only thing standing between you and a motivated extortionist is the security of the devices you depend on,” adds Janne.

So who needs to be worried? Well, Harry used a QNAP TVS-663 during his research to confirm his findings. But the real problem lies in the firmware, which is typically a big problem in a lot of internet-connected devices (routers, webcams, and other inexpensive devices that connect to the internet).

These same vulnerabilities are likely found in any device running the same firmware (in this case, QTS 4.2.3). Harry found almost 90,000 devices that he thinks may be vulnerable. But he limited his search to devices currently online, so the number may be higher.

F-Secure Researcher and QNAP NAS device owner Mikael Albrecht thinks insecure NAS units are a much bigger problem than other Internet of Things (IoT) devices. “As a QNAP owner I’m naturally shocked when reading Harry’s advisory. I’m used to security problems in IoT-gadgets, but an insecure NAS is far more severe. Most of the digital stuff I have produced during my whole life is on that device! Luckily QNAP has a working process for distributing updates, and does it quite frequently.”

And there’s the good news: QNAP has already fixed the problem and released an updated version of the vulnerable firmware. According to Harry’s advisory, they took care of this problem pretty quickly, and much better than the response other device vendors have given when confronted with security problems in their products.

So if you have a QNAP NAS device, you better update it now (or make sure it’s running QTS 4.2.4). In fact, you should consider keeping a closer eye on any internet-connected devices you have to make sure the firmware is updated. The sheer number of IoT devices flooding the market, many of which lack the kind of security people need to keep their information private and safe, gives criminals a lot more ways to attack individuals and companies. So you might as well get in the habit of keeping these devices updated and secure.

F-Secure media relations 

Geoff Dorrington

PR manager, F-Secure UK & Ireland

E: geoff.dorrington@f-secure.com

T: 01753 376592

 

 ###

 

Latest Press Releases

May 17, 2018

F-Secure Packs Best of Man and Machine into New Security Offering

F-Secure Rapid Detection & Response solution combines the benefits of human expertise and artificial intelligence to give companies an edge in the fight against targeted attacks.

May 9, 2018

Millions of Routers are about to Get a Lot More Secure

F-Secure SENSE, a Wi-Fi router-based connected home security solution, is now available as a software version for operators and router manufacturers.

May 2, 2018

Ransomware ‘Gold Rush’ looks finished, but Threat Remains

A new F-Secure report finds that ransomware attacks exploded in 2017 thanks to WannaCry, but a decline in other types of ransomware signals a potential shift in the malware’s use by cyber criminals.

April 25, 2018

F-Secure Researchers: Master Keys to Hotels Can be Created ‘Out of Thin Air’

Researchers find room keys at global hotel chains and hotels worldwide can be hacked to gain access to any room in the building

%d bloggers like this: