The IT Nerd

This is one of these situations where the cure might be worse than the disease. I’ve reported on the latest ransomware attack aimed at QNAP NAS devices and in that story, I made this comment:

But that doesn’t change the fact that QNAP clearly has some serious security issues that allow these ransomware attacks to take place as I don’t hear about similar attacks from other NAS vendors. Thus it would make sense for me to consider purchasing another brand of NAS as clearly QNAP NAS devices have some extremely serious security issues that clearly haven’t been addressed. Which means that QNAP really needs to step up their security game or more bad things will happen to them. Such as lost market share.

Well, QNAP is clearly trying to address those issues as they force-updated NAS devices with firmware containing the latest security updates to protect against the DeadBolt ransomware. And people got this update even if automatic updates were disabled. In effect, QNAP force fed the updates to users.

#Fail

And to make matters worse for users, it broke iSCSI connections on some users NAS devices. Although there seems to be a fix for that, and it got in the way of people who had already been pwned by the group behind this latest ransomware attack and had already bought the decryption key to get their data back. In both cases, users are mad as a result.

QNAP responded on Reddit with this:

We are trying to increase protection against deadbolt. If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away.

Back in the time of Qlocker, many people got infected after we had patched the vulnerability. In fact, that whole outbreak was after the patch was released. But many people don’t apply a security patch on the same day or even the same week it is released. And that makes it much harder to stop a ransomware campaign. We will work on patches/security enhancements against deadbolt and we hope they get applied right away.

I know there are arguments both ways as to whether or not we should do this. It is a hard decision to make. But it is because of deadbolt and our desire to stop this attack as soon as possible that we did this.

Well QNAP, if the security of your NAS devices weren’t so bad, you wouldn’t be in this situation right now. And simply force updating users isn’t a viable strategy either. Why? You simply can’t force feed updates at your leisure and not give your users time to prepare and implement these updates in an orderly fashion. In effect, you’re just making a bad situation worse by further angering your user base by your actions.

And then there’s the elephant in the room. Which is do these firmware updates actually fix this issue? My thinking is no based on the fact that QNAP initially said that taking the device off Internet would mitigate the attacks. So if that’s true, why force feed this update to their user base? And the update in question dates back to late December. Seeing as we are in late January, this implies this isn’t a new update. And it contains fixes to the SAMBA networking protocol based on these release notes. Which I can’t see being a factor here. Though I am free to be corrected on that.

All this does is further reinforce that I need to dump my QNAP NAS and replace it with something from Synology for example as they don’t have these issues. Because clearly QNAP has really dropped the ball here and users of their products are suffering the consequences.

This entry was posted on January 28, 2022 at 8:43 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.