According to PCWorld, A security review of network-attached storage (NAS) devices from multiple manufacturers revealed that they typically have more vulnerabilities than home routers, a class of devices known for poor security and vulnerable code.
Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, is in the process of analyzing NAS devices from 10 manufacturers and has so far found vulnerabilities that could lead to a complete compromise in all of them.
Jacob Holcomb said, "By compromising a NAS device an attacker could also hijack traffic from other devices on the same network by using techniques like ARP spoofing".
Holcomb demonstrated such attacks during his Black Hat presentation against the D-Link, Netgear, Buffalo and TRENDnet NAS devices.
The type of issues he found in the NAS systems include command injection, cross-site request forgery, buffer overflows, authentication bypasses and failures, information disclosure, backdoor accounts, poor session management and directory traversal.
The devices he evaluated are: Asustor's AS-602T, TRENDnet's TN-200 and TN-200T1, QNAP's TS-870, Seagate's BlackArmor 1BW5A3-570, Netgear's ReadyNAS104, D-LINK's DNS-345, Lenovo's IX4-300D, Buffalo's TeraStation 5600, Western Digital's MyCloud EX4 and ZyXEL's NSA325 v2.
There are obvious differences in what can be done by compromising NAS devices and compromising routers. By controlling a router an attacker could capture and modify Internet traffic for a network, while hacking into a NAS system could provide access to potentially sensitive information stored on it.
A router is more likely to be accessible from the Internet than a NAS system, but this doesn’t mean that NAS devices are not being targeted by attackers.
A big concern is that many NAS vendors use the same code base for their high-end and low-end devices, the researcher said. That means the same vulnerabilities in a low-cost NAS device designed for home use could exist in a much more expensive NAS system designed for enterprise environments.
Paying more money for a device does not mean it has better security, Holcomb warned.
Original post by: Lucian Constantin - PC-World