Who’s To Blame For The QNAP Security Mess? My $0.02 Worth…

Yesterday, I wrote about QNAP’s latest security issue with DeadBolt ransomware. And I highlighted that by my count that I’ve written about this 8 times this year which is insane. But after I wrote that article, I thought about this and wondered if this is all QNAP’s fault. Or if there’s more to it than that. Which is where this article came from. In short, I believe that while QNAP shoulders a lot of blame, users (including myself to a degree) have to shoulder some blame as well. Let me explain by starting with QNAP.

There’s clearly something wrong with QNAP in terms of the quality of their code, the QA practices, their ability to find security issues, or something else for them to repeatedly be targets of DeadBolt. After all a ransomware gang wants to have access to the largest amount of targets possible to maximize their chances of making money. Thus if other NAS vendors had issues, you would see those vendors being affected by DeadBolt. But outside of one instance where ASUS users being a target of DeadBolt, and one instance of Terramaster users being hit by DeadBolt, I haven’t heard about DeadBolt from other vendors of NAS products. Now to be clear, other types of ransomware have hit other NAS vendors, but nothing on the scale of what is happening to QNAP. Thus QNAP really needs to get its house in order or potential customers are going to simply look elsewhere for the next NAS as clearly their products will not be seen as secure.

On the flip side, there are two things for a threat actor like whomever is behind DeadBolt to take advantage of in a QNAP NAS for the threat actor to pwn the NAS:

  • A vulnerability that they can exploit
  • The opportunity to do so.

Let’s start with the vulnerability part of this. I religiously update my NAS to whatever the latest firmware is within a day of it being available. I do that because I want to make sure that I am not leaving myself open to getting pwned by hackers as they will often reverse engineer what a vulnerability might be based on what the fix is in the current firmware. Thus giving themselves an attack vector in earlier versions of firmware. Now everybody isn’t yours truly, and you may put off updating the firmware in your NAS (never mind an Android update, or Windows update) until days or weeks or months later. Or you may never do it at all. That leaves you wide open to attack and that I have to say is on you if you get pwned.

Now let’s look at the opportunity part of this. DeadBolt as far as I am aware can only attack your NAS if you have the NAS exposed to the Internet. If you expose anything to the Internet, you are risking a threat actor taking the opportunity to pwn it. I say that because even if you have updated all the things on the NAS, there’s still the possibility that a flaw that exists that nobody knows about. Which means that if the threat actor finds it before one of the good guys finds it, the threat actor wins and you get pwned. And that’s on you for exposing the NAS to the broader Internet. In my case, I expose nothing to the Internet. And that includes my NAS which reduces the odds of this happening to me significantly. You’ll note that I said reduces and not the word “eliminate”. Because it is always possible for anyone, anywhere to get pwned by hackers. But the idea is that you don’t want to make it easy for them by exposing anything from a smart light bulb to a NAS to the broader Internet.

Now I do know that many people out there will say that they have a legitimate need to have their NAS exposed to the Internet. But here’s what I would say about that. If my clients say that they have a need to expose a NAS which may contain personal or business related files to the Internet, I would counter with why their need doesn’t outweigh the security or the potential loss of theft of those files. Not to mention the possibly of ransomware or a threat actor using that NAS to get to their broader network. And not one of my clients has disagreed when this was highlighted to them. Because they understand that security must always come ahead of doing something that is easy and quick.

There’s one other thing that I should point out. If you don’t back up your NAS to another location, be it another NAS, a cloud service, a hard drive, it makes a potential attack more effective as you’ve got no plan “b”. Or put another way, say that your NAS was pwned by ransomware. If you had a backup you could easily say “well that sucks”. Then you could factory reset the NAS which would likely remove the ransomware, set it up again, and restore your backup and move on with your life. All without paying the threat actors a cent. If enough people did that, the people behind DeadBolt and other types of ransomware would be out of business tomorrow because they wouldn’t have the opportunity to profit from their attacks.

Now I know that what I’ve just said above has the potential of opening me up to being lit up like a Christmas tree in a bonfire. And I am fine with that as I am calling it as I see it. But what are your thoughts? Drop a comment below and share them, but please keep it civil.

Leave a Reply

%d bloggers like this: