NETWORK ATTACHED STORAGE (NAS)
NAS stands for Network Attached Storage. Think external hard drive with an Ethernet port that plugs into a router. Two large vendors are Synology and QNAP.
- Avoid using the default admin account. First, create a new admin account. Then, either disable the system default admin account, or, make the password for it very long and very random.
- Create a second admin account. I say this from experience, you don't want all your eggs in one basket.
- Don't allow direct access to the NAS from the Internet.
- On Synology, that means avoiding QuickConnect.
- Disable UPnP in the router to prevent the NAS from opening ports for itself.
- My Test your Router page links to many websites that offer tests of the firewall in a router.
- Case in point: A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition by Vera Mens and Sharon Brizinov (August 9, 2023). Synology offers their customers remote access to NAS boxes via the Synology QuickConnect cloud-based infrastructure. Team82 has developed a technique that allowed them to impersonate a Synology NAS and force the QuickConnect cloud service to redirect users to an attacker-controlled device. They uncovered credential theft flaws and remote code execution vulnerabilities that could allow a bad guy to control your NAS and steal your files. Synology has fixed the bugs and has updated its cloud service. Still, it is a bad idea to open up a NAS to the Internet.
- If open ports are necessary, do not use the default ports.
- If the NAS file system supports snapshots, take the time to get up to speed on the feature. This is a big deal. Speaking of snapshots, consider stepping up to a FreeNAS box from iXsystems that runs ZFS. The Mini is their entry level model.
- Chances are the NAS is able to turn itself on and off. If the NAS is off at night, then no data can escape. If data is being stolen during the day, it is more likely to be noticed. Plus, this saves electricity.
- As always, disable features not being used; perhaps SSH and Telnet access.
- As always, avoid short passwords.
- The NAS operating system will have its own security scheme. Create multiple userids, one with full Admin privileges but all the others having a limited set of privileges. This will probably take some trial and error.
- If there is lightning in your area, power off and unplug the NAS. No surge protector can stand up to lightning.
- February 3, 2022: Recent QNAP and Synology Security Alerts: How to Protect Your NAS by Jeremy Milk of BackBlaze.
by- In August 2021, I blogged about how I use a router firewall rule to prevent my NAS from making any outbound connections, except for 30 minutes a day: A firewall rule can help block ransomware.
SYNOLOGY
QNAP
D-LINK
- In April 2024, it came out that some D-Link NAS devices had a backdoor. That is, D-Link could get into the devices whenever they pleased. This is not something a reputable company does. See Critical takeover vulnerabilities in 92,000 D-Link devices under active exploitation by Dan Goodin for Ars Technica. The article describes two issues, one is a bug, the other is the backdoor account enabled by credentials hardcoded into the firmware. The devices at issue are old and D-Link will do nothing about either issue.
WESTERN DIGITAL
- Western Digital (WD) has a poor track record as far as security goes. The articles below illustrate this. Probably best to avoid their NAS devices. Dong Ngo has tested many NAS devices over many years. He recommends Synology.
- Western Digital struggles to fix massive My Cloud outage, offers workaround by Sergiu Gatlan for Bleeping Computer. April 8, 2023. The response from WD to this outage has been poor.
Affected services: My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, SanDisk Ixpand Wireless Charger, and their linked mobile, desktop, and web apps. The outage has prevented users from accessing files stored on their WD NAS devices, as this requires access to the company's cloud services.
March 26, 2023 they discover a network security incident
April 3, 2023 They announce it
April 8, 2023 They provide a workaround so that customers can access their local files
April 11, 2023 still off-line with no estimate for when things will go back to normal
Western Digital's My Cloud goes offline after hack by Mark Hachman for PCWorld April 11, 2023. "WD's My Cloud service remains offline as of April 11, and the company has provided no additional information on when the service will be restored."
- Another 0-Day Looms for Many Western Digital Users by Brian Krebs.
July 2, 2021. Quoting: "Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system."