A security review of network-attached storage (NAS) devices from multiple manufacturers revealed that they typically have more vulnerabilities than home routers, a class of devices known for poor security and vulnerable code.
Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, is in the process of analyzing NAS devices from 10 manufacturers and has so far found vulnerabilities that could lead to a complete compromise in all of them.
"There wasn't one device that I literally couldn't take over," Holcomb said Wednesday during a talk at the Black Hat security conference in Las Vegas, where he presented some of his preliminary findings. "At least 50 percent of them can be exploited without authentication," he said.
The devices he evaluated are: Asustor's AS-602T, TRENDnet's TN-200 and TN-200T1, QNAP's TS-870, Seagate's BlackArmor 1BW5A3-570, Netgear's ReadyNAS104, D-LINK's DNS-345, Lenovo's IX4-300D, Buffalo's TeraStation 5600, Western Digital's MyCloud EX4 and ZyXEL's NSA325 v2.
So far, the security organization MITRE has assigned 22 CVE (Common Vulnerabilities and Exposures) identifiers for the issues the researcher has found, but the project has just begun and he expects to find many more by the end of the year. These devices are far worse than routers, he said.
Holcomb led a similar study last year that identified over 50 vulnerabilities in popular SOHO routers. He expects the number of vulnerabilities identified in NAS systems to far exceed those he found in routers by the time his new project is over.
The type of issues he found in the NAS systems include command injection, cross-site request forgery, buffer overflows, authentication bypasses and failures, information disclosure, backdoor accounts, poor session management and directory traversal. By combining some of these vulnerabilities, attackers can gain a "root shell" on the devices, allowing them to execute commands with the highest possible privilege.
Holcomb demonstrated such attacks during his Black Hat presentation against the D-Link, Netgear, Buffalo and TRENDnet NAS devices. He also disclosed a backdoor account on the Seagate device and deterministic cookie generation on the Asustor product.
All the vulnerabilities found so far were reported to the vendors, but the release of patches for them can take months, Holcomb said. The issues presented at Black Hat had not yet been fixed, so they can be considered zero-days, he said.
There are obvious differences in what can be done by compromising NAS devices and compromising routers. By controlling a router an attacker could capture and modify Internet traffic for a network, while hacking into a NAS system could provide access to potentially sensitive information stored on it.
A router is more likely to be accessible from the Internet than a NAS system, but this doesn't mean that NAS devices are not being targeted by attackers.
Sign up for Computerworld eNewsletters.