HKCert
Security Blog

Security Risks of Network-Attached Storages (NAS)

Release Date: 24 / 09 / 2015
Last Update: 24 / 09 / 2015

Continuing on from where the two previous articles discussing the risks of networked devices left off, this article will focus on the increasingly popular networking device – the network-attached storage (NAS). With the advance in technology, many users have incorporated NAS decides in their homes to share and disseminate files with their families. NAS have also been adopted by enterprises for a long period of time due to its applications in a business setting.

 

NAS are usually installed on a private network (intranet). Furthermore broadband and mobile connection speeds are exponentially growing, some users connect their NAS directly to the Internet to make their files accessible from anywhere, while ignoring the risks in the process. HKCERT used Shodan to search for relevant data to further analyze the usage of NAS devices on Hong Kong networks.

 

On the 28th of August, HKCERT selected seven relatively popular small-capacity NAS brands for analysis and discovered 17,459 NAS devices that were connected to the Internet.

 

Small NAS BrandQuantity
 Synology 12,617
 QNAP 4,740
 Iomega 49
 WD MyCloud 47
 Asustor 4
 Thecus 2
 AKiTiO 0
 Total: 17,459

 

 

Newer versions of NAS devices have increased functionalities in addition to the major function of sharing files. Some examples of the functions are listed below:

  1. File Transfer Services (FTP)
  2. Internet Small Computer System Interface (iSCSI)
  3. Network file systems (NFS)
  4. Document sharing services (Samba)
  5. Cloud backup
  6. NAS file synchronization

We used the commonly employed functionalities/services FTP and Samba and analyzed the number of NAS devices that were connected to the Internet with these services enabled:

 

Small NAS BrandFTP ServicesSamba Services
 QNAP 145 66
 Synology 137 32
 WD MyCloud 0 15
 Iomega 0 4
 AKiTiO 0 0
 Asustor 0 0
 Thecus 0 0
 Total: 282 117

 

 

The data shows that NAS devices with FTP services and Samba services enabled were no more than 3% and 2% respectively. Although the quantity is not relatively large, nonetheless using FTP and Samba services while directly connected to the Internet opens up a wide variety of risks that should not be ignored due to the fact that most devices have a simple login authentication.

 

All NAS devices come with a Web Admin Interface. Some devices use special communication protocols as an entry point, such as Synology which defaults to TCP on port 5000 and QNAP which uses TCP on 8080. We discovered that we could discover most of the NAS devices' brands by accessing the devices' default web admin interface.

 

Web Admin InterfaceSynologyQNAP
 Can be accessed over the Internet 12,224 4,690
 Cannot be accessed over the internet 393 50

 

 

Exposing the web admin interface, FTP service and Samba service to the Internet causes extreme security risks. As these management interfaces only require a simple username and password as authentication, attackers can use brute-force method to crack the password to gain access to the system. If malicious users are able to access the administrator account, they can change the settings of the NAS and install malicious programs. Thus some NAS systems are designed to prevent or limit brute-force attacks by limiting the number of password attempts.

 

Although NAS devices support different security functionalities for users to choose from, if security vulnerabilities are found on the device, attackers can bypass the authentication system to gain access to the system as the system administrator. One of the most prominent attacks occurred in the August of 2014 where the ransomware SynoLocker, which was a malicious program targeting NAS devices, could directly infect NAS devices and encrypt all the files to extort the users. Users would be forced to pay up to get the encryption key to regain their files or the attackers would delete the key.

 

For more information regarding the SynoLocker virus, please have a look at ‘SynoLocker ransomware's effects on SynologyDiskStation’。

 

Advice to the Public:

 

The security of internet devices are often ignored as most users will not continuously manage the settings after the initial setup. Over a long period of time, problems and vulnerabilities will appear. This is especially true for smaller NASs as they provide functionality that resembles a small server such as website management, virtual private networks and email services. Manufacturers often provide additional functionalities for users to install. Users should be vigilant and notice whether the functions could cause security risks and not ignore the risks for a simple convenience.

 

HKCERT suggests users to:

  1. If not absolutely necessary, do not connect NAS devices to the Internet
  2. If necessary, use a virtual private network (VPN) before access
  3. Change the default protocol and port for the web admin interface
  4. Change the default administrator password or create a new administrator account
  5. If not necessary, do not install or enable additional functionalities
  6. Periodically backup files
  7. Continuously update the system and notice the security alerts for their devices