Ooooh, that's NASty. Security-watchers warn over man-in-the-middle risk

Updated Vulnerabilities in a network attached storage (NAS) devices made by QNAP Systems create a potential means for hackers to steal data and passwords, execute commands or drop malware on vulnerable kit, say security researchers.

Researchers at F-Secure claim they have found a series of weaknesses in the firmware update process of QNAP’s TVS-663 NAS device, such as not encrypting the update requests. These security shortcomings create a means for hackers to seize administrative control of vulnerable devices, they claim.

Harry Sintonen, senior security consultant at F-Secure, developed a proof-of-concept exploit to confirm the vulnerabilities. “Many of these types of vulnerabilities are not severe on their own. But attackers able to put them together can cause a massive compromise,” according to Sintonen.

Sintonen’s PoC begins when the device sends unencrypted requests for firmware updates back to the company. This lack of encryption allows hackers to run man-in-the-middle attacks. Sintonen says he took advantage of this weakness by serving the device with an exploit disguised as a firmware update.

While the fake update is never actually installed, an exploit uses a flaw in the process to yield a full system compromise, he claims. The one major limitation is that hackers would need to be in the position to intercept the update process before they can manipulate it, he added.

That would be enough to frustrate remote hackers – though not miscreants already logged onto the same network as their intended target, he explained.

F-Secure estimates that over 1.4 million devices running vulnerable firmware could be vulnerable. The research was presented at the Disobey conference in Helsinki, Finland last week.

F-Secure said it notified QNAP last February. ®

Updated on 7 Feb to add: QNAP has asked users to "kindly refer to “Security Vulnerabilities Addressed in QTS 4.2.3 Builds 20170121 and 20170124” regarding security fixes for the heap overflow and the firmware update vulnerabilities reported by third-party experts," adding "Thank you for the continued support."