Researchers find dozens of critical vulnerabilities in NAS devices

Aug 8, 2014 08:46 GMT  ·  By

Security researchers evaluated a number of network access storage (NAS) devices and found them highly vulnerable to attacks that could lead to complete control over them.

As this type of file storage has become more widespread, Jacob Holcomb, security analyst at Independent Security Evaluators, prepared a presentation for the Black Hat security conference in Las Vegas this week, based on the organization’s extensive analysis of this type of device.

The analyst discovered dozens of security flaws that could be leveraged by an intruder to gain administrator access to the network storage system; these included methods such as command injection, directory traversal, authentication bypass, memory corruption or backdoors.

The evaluation included products from well-known manufacturers like Seagate, D-Link, WesternDigital or Netgear. Some of the glitches discovered have already been assigned Common Vulnerabilities and Exposures identifiers.

Unauthorized access to a network storage device not only exposes the information it contains, but it can also lead to larger damage that could compromise the entire network infrastructure, allowing access to information on other systems as well.

This may not be the case with home users, but NAS devices are employed by educational institutions, government institutions and businesses too, since they provide easier access to files from anywhere.

“Similar to other network hardware (e.g., routers), these devices are purchased and installed by IT teams and home consumers with the expectation that the system is protected from the infamous hacker,” says Holcomb in the presentation abstract.

Cybercriminals have already started to take advantage of some of the flaws. In a recent incident that targeted NAS products from Synology, crooks managed to plant a file encryption tool (Synolocker) that automatically locks important files on the storage system.

Some users reported that this type of attack also affected devices from other manufacturers as well.

When the user tries to log in, they’re welcomed by a ransom message asking them to pay a 0.6 ($350 / €262) Bitcoin fee in order to receive the decryption key, but users should know that there are ways to thwart this attack, which may be perpetrated through brute-forcing the login feature of the system.

However, the fact that researchers found a large amount of flaws touching on the security of these devices could lead to an increased number of attacks specifically devised to target them.

The vendors whose products were found buggy have been informed, but there is no time frame for the release of patches, and a great deal of users may miss them or choose not to apply them, leaving their systems open to outside attacks.