Individuals and businesses buy NAS devices when they need extra file storage. In an organization, they provide dedicated places for a number of people to store and share their files. Most devices have Ethernet capability, but more and more are developing wireless capacity. Consumer models have as much as 8 TB of storage, and business models can scale into the petabyte range.
Network attached storage (NAS) have come a long way since they were first introduced. In addition to fulfilling their basic file storage and sharing mission, they work as servers for FTP, print, Web, and email. They can also support sharing and streaming to gaming consoles, tablets, and smartphones on a network. They can be configured to regularly back up data, and many vendors back up their own NAS devices to the cloud for additional redundancy.
As organizations look for a way to store and work with big data, NAS devices can add much needed capacity to any network. Unfortunately, as researchers have recently discovered, they’re more vulnerable to attacks than most home routers.
How NAS Is Vulnerable
Organizations that use NAS have to remember that the device isn’t a storage bin; it’s a server. Therefore, it has to be part of the organization’s network security and risk management plan. At a 2013 Black Hat conference, security researcher Jacob Holcomb demonstrated his ability to take over 10 NAS devices from different manufacturers. He estimated that 50 percent of NAS devices could be taken over without authentication.
- Although research is ongoing, researchers know that NAS is vulnerable to the following attacks.
- Command injection (shell injection). Command injection allows attackers to take control of a server from a remote computer.
- Buffer overflows. Attackers use buffer overflows to cause data to overflow into an authorized buffer, rewrite memory and corrupting machine function.
- Information disclosure. Information disclosure attacks give attackers critical information about system function, which can be used to attack the system later and to poach sensitive data.
- Directory traversal. Directory traversal attacks circumvent URLs or website requests within a vulnerable application. They allow attackers to reach far into the server to obtain system information and sensitive information.
- Poor session management. Predictable session tokens and sessions that don’t expire allow hackers to hijack sessions and gain unauthorized access.
- Authentication bypasses. Attackers use tricks either to convince an application that the user is already logged in or to bypass authentication protocols altogether.
- Backdoor accounts. Backdoors allow remote operators to gain administrative controls over a device.
- Cross-site request forgery. Attackers execute cross-site request forgery by using social engineering attacks to get users to login to an application. Then, they use the user’s credentials to conduct unauthorized activity.
How Attackers Take Control
When attackers combine some of these vulnerabilities, they can gain a root shell on the NAS device. Root shells enable them to execute commands on the device at the highest level. Once they have control of an NAS device, they can use it as a doorway into a company network.
An attack like ARP spoofing can allow attackers to start receiving information destined for the NAS device’s IP address. They can not only steal information from the device but also intercept traffic directed toward the device.
Attackers have also manipulated NAS devices for other nefarious purposes. For example, in June 2014, researchers discovered that a hacker had manipulated Synology devices, using their processing power to mine for Dogecoin, an online currency similar to Bitcoin. The attacker made over $600,000 before Synology shut him or her down. Synology also reported that its devices had been infected by a piece of ransomware similar to CryptoLocker, which the company nicknamed “SynoLocker.”
Preventing Data Breaches
In many cases, device manufacturers use the same code for both high-end and low-end NAS devices within their product lines. Because an enterprise device uses the same code as a consumer device, an attacker who can hack a home NAS can hack a business NAS. An attacker who gains control of a home router can modify and capture traffic coming through a home network. By attacking an NAS device, the hacker can execute a costly and embarrassing data breach.
Businesses should protect their intellectual property and customer data by making sure that their internal security teams understand how NAS devices are vulnerable. They should also discuss NAS protection strategies with their network security providers.
