F-Secure claims new NAS vulnerabilities are “as bad as they get”
F-Secure claims new NAS vulnerabilities are “as bad as they get”

Earlier this year, F-Secure senior security consultant Harry Sintonen presented research on a series of vulnerabilities he found in a QNAP network attached storage (NAS) device.

Sintonen has since discovered more problems since then, and says his newer discoveries are considerably more serious.

“The previous vulnerabilities I found were only useful to an attacker that put themselves between QNAP servers and their targets. That's a difficult enough step to discourage most attackers from using those vulnerabilities as part of a widespread attack,” said Sintonen. “But that's not the case with what I've found more recently.”

Sintonen's advisory gives a technical deep dive of the new vulnerabilities he found. But basically, they allow attackers to remotely take over the device by using what's known as a “command injection”. And that's exactly what it sounds like: an attacker remotely inserts commands for your NAS device to run.

Not only does this allow attackers to access any data the device contains, but they can also do things like delete information, lock out other users (including the device owners), hijack the device for use in further attacks, and pretty much whatever else they want.

Or, as F-Secure cyber-security expert Janne Kauhanen puts it, this is pretty much as bad as vulnerabilities get. “These vulnerabilities are easy, attractive targets for attackers. They don't require any special hacking kung-fu, like special access privileges, to use. Attackers can use vulnerabilities like this to fully compromise the security of the device, as well as the confidentiality of any information it contains.”

And to make matters worse, exposed NAS drives give attackers an opportunity to be a lot more creative about their scams. “A storage device like this can basically be used like an online server,” explains Janne. “It's easy for attackers to store anything on your device, to run any kind of service from there. From a web shop selling dubious goods or services, to an attack platform launching further attacks all over the internet, leaving you to explain why the attacks originate from your home. Or they can plant some compromising material on your NAS device and use it to blackmail you – what Russians call ‘kompromat'.”

“Online extortion is hugely successful, and in scenarios like this, it doesn't matter whether or not you actually do something wrong. The only thing standing between you and a motivated extortionist is the security of the devices you depend on,” adds Kauhanen.

So who needs to be worried? Well, Sintonen used a QNAP TVS-663 during his research to confirm his findings. But the real problem lies in the firmware, which is typically a big problem in a lot of internet-connected devices (routers, webcams, and other inexpensive devices that connect to the internet).

These same vulnerabilities are likely found in any device running the same firmware (in this case, QTS 4.2.3). Sintonen found almost 90,000 devices that he thinks may be vulnerable. But he limited his search to devices currently online, so the number may be higher.

F-Secure Researcher and QNAP NAS device owner Mikael Albrecht thinks insecure NAS units are a much bigger problem than other Internet of Things (IoT) devices. “As a QNAP owner I'm naturally shocked when reading Sintonen's advisory. I'm used to security problems in IoT-gadgets, but an insecure NAS is far more severe. Most of the digital stuff I have produced during my whole life is on that device! Luckily QNAP has a working process for distributing updates, and does it quite frequently.”

And there's the good news: QNAP has already fixed the problem and released an updated version of the vulnerable firmware. According to Sintonen's advisory, they took care of this problem pretty quickly, and much better than the response other device vendors have given when confronted with security problems in their products.

So if you have a QNAP NAS device, you better update it now (or make sure it's running QTS 4.2.4). In fact, you should consider keeping a closer eye on any internet-connected devices you have to make sure the firmware is updated. The sheer number of IoT devices flooding the market, many of which lack the kind of security people need to keep their information private and safe, gives criminals a lot more ways to attack individuals and companies. So you might as well get in the habit of keeping these devices updated and secure.