Posted by Andrew Harrison 25 September 2014
The easiest way for criminals to hack your data may not be your PC
The easiest way for criminals to hack your data may not be your PC – it might be your NAS.
It’s amazing what you can do with a NAS drive these days. Far more than simple file storage and serving, they have evolved into fully fledged computing control centres, taking on many of the tasks of the traditional PC that used to reside in every home.
First it was media streaming, integrating server software especially designed to let you listen to music and watch films with the assistance of on-board DLNA, UPnP or iTunes servers. With these services enabled you can watch films stored on your NAS with a set-top box adaptor like the WD TV Live, or play music on a network hi-fi music player from the likes of Cyrus, Linn or Naim.
Then download software was included in the typical NAS feature list, turning a NAS drive into a torrent client to trickle in assorted online content to these always-on PC storage stations.
With the growth of affordable security cameras, many businesses now have an array of IP cameras to monitor their staff, car parks, customers and stock around the clock. And even home users can install cheaply IP cams to monitor the car, kids or the cat. The NAS drive comes to the rescue here once again, always on and ready to record a steady video stream or simply when motion activated.
Your own personal cloud
More recently we’ve seen home NAS drives take on the role of a personal cloud, promoted heavily by WD in its My Cloud hardware range, but available before that as installable apps for Synology and QNAP boxes too.
With a NAS cloud folder set up and running, you get all the benefits of having synced directories between your Windows PC and Mac, with any change in files on one machine quickly echoed on every other connected PC; and again, the NAS drive is running this show with its central repository of your essential files and folders.
Compared to the usual suspects of DropBox, Google Drive et al, the result is more secure against government dragnet surveillance and you get the option of terabytes of space for free, rather than gigabytes for tens or hundreds of pounds every year. Although in WD’s case, which insists on you routing your secure cloud connection through its servers, an outage of the company’s servers that lasted more than a week must have put users off the idea of trusting personal cloud options on their WD NAS.
More recently we’ve seen a development to let you run a complete PC, on your NAS, virtualised. In the IDG test lab right now I have a QNAP TS-670 Pro which, when loaded with a large dollop of RAM, promises to run any x86 operating system such as Linux, UNIX or Windows. This is really taking the lead from big-iron enterprise servers that can virtualise assorted software servers on a single powerhouse server, a move that cuts hardware and energy costs for businesses.
For the home consumer the use case may be less obvious; maybe you have a Mac-only home but need to run some obscure XP program occasionally. With QNAP’s new feature, you needn’t go to the expense of purchasing VMware Fusion or Parallels – just load up a nicely sandboxed Windows VM, hosted and run from your NAS.
With all this power comes even greater responsibility – a commitment from the NAS maker to ensure that only you and your family or trusted work colleagues get that ease of access to all that precious data.
Unfortunately that’s been far from the case recently. Like many internet-attached products, most NAS operating systems have been afflicted by the notorious Heartbleed bug in OpenSSL, which allows unauthenticated remote users the kind of root access that gives your NAS, and all its files, over to a remote attacker. Five months after the public disclosure of this security nightmare, holes are still being shored up – only last week in late September as I write, QNAP was still plugging OpenSSL CVE holes. And in an added insult to users, QNAP’s auto-notification system that should alert the NAS admin user that patches have been made available, failed to work. That’s a dangerous way to leave your customers with a false sense of security that they’re on the latest and most secure build when they log in.
Lock you out
But perhaps the scariest development in NAS insecurity to date was the SynoLocker malware infection. This came to light in August this year, where a flaw in Synology’s DSM software allowed online criminals to gain entry and encrypt the contents of the entire NAS drive, extorting money from the owner to unlock the drive and return all its files.
Synology announced that the security hole affected v4.3 and earlier versions of DSM, and was patched in December last year. The current DSM 5.0 is said not to be afflicted. But that’s cold comfort for users who do not religiously update their NAS with every new build that’s made available.
These kind of critical problems are made worse by the newfound abilities of NAS drives, which now routinely want to open ports in your router and firewall in order to facilitate remote access. One possible remedy is to keep your NAS drives away from public internet-facing services, in anticipation of the next security flaw that could needlessly expose your NAS and all its contents to remote hackers. Logging in to your NAS’ admin interface to check for new flagged updates ought to be a good idea, although as we found, you can’t trust this built-in update service to work, so you’d need to manually check on the maker’s website too to double-check for patches.
It’s amazing what you can do with a NAS these days, and equally what ne’er-do-wells will think of too to exploit them. Most ingenious use of a NAS drive we know of so far? How about breaking in and installing Bitcoin-mining software. A strategy that abused the multi-core processing power now commonplace in many NAS drives, a cheeky strategy that earned the remote hacker an estimated £380,000 in crypto currency from his NAS-botnet.
Synology knows its success in developing and selling its products makes it a bigger target these days, and now sets the NAS firmware to automatically update itself without user intervention. Not only has the NAS taken on a PC-like role in the home and workplace, it’s now become a Windows-like malware target and has adopted Microsoft’s answer to keeping the PC patched.