Hi guys, the first post so please feel free to comment
What is NAS?
Sometimes refereed as Personal Cloud, Network Attached Storage is quite cool idea about storing your data on your network, independent of your own computer. These data can be easily accessed through LAN (local network) but also through Internet. It is used mostly as a backup device (we will get to it soon), as place from where users share their data with others (co-working or family photos) or as multimedia server to stream stored content to different devices.
Image by : QNAP
So what are the dangers in storing you data in NAS?
The danger for your data is basically in combination of two things:
- These devices are be default designed to be connected to the Internet
- The manufacturers are continuously failing to provide even basic security of their devices
This means that in (default settings) only defense between your data and Internet is security implementation of your NAS device by the manufacturer (and the version of the firmware used).
Image by: Synology
I will not talk about technical details as different attack on login page of the device, hidden back-doors, SSH/Telnet attack or weaknesses in security implementation of various manufacturers. All this you can easily find on Internet.
What I want to highlight here is the impact on you or your data in case that your device is compromised.
scenario 1. NAS used as backup location
Backup is very common use for NAS devices, because it offers plenty of space and its accessible from many different devices. People backup nearly always important stuff.
From work files, personal information, family related files, whole Windows or Mac machines up to their Bitcoin or Ethereum wallet keys.
If you do whole computer backup (Windows or Mac) and store it in your NAS, it contain all stored password from your browser, e-mail history and logins from any email program you use, logins from any FTP client you use, backup files for your cryptocurrency wallet....
All this create very tempting and valuable target for Internet bad guys and they already develop quite a few automatic programs to search for vulnerable machines on the Internet.
Compromise of such backup location over Internet is simply REALLY BAD.
scenario 2. NAS used as media server for your (private) photos and videos
Also very common scenario as people like to share photos and videos with other family members around the world or to store somewhere all the images from holidays or of their children. Again as we have NAS connected to the internet everybody can simply access the device over the internet and if not properly secured read and download or delete all the content. If you like to protect yourself and your family, you should really spend some time securing your device.
But what if I tell you that even if you set up your device properly, having last firmware and super strong password all your multimedia will be still easily accessible over the internet without even need of password? (referring to all devices with Twonky server enabled)
Image by: Edward Cisneros
Majority of mainstream NAS devices have security related issues and they should be not used as storage for critical or personal data if connected to Internet. This is a fact.
Security of your data is not the focus point for manufacturers of such devices. Users should be aware of this situation to make informed decision where they will store their personal data.
What manufacturers should do to improve the security of their products:
- mandatory new strong password during setup
- only local network by default
- proper access authentication
- only essential services by default
- optional automatic updates
- optional harddrive encryption
Did you find this article informative, interesting or missing something? Comment please
