[HN Gopher] QNAP Ships NAS Backup Software with Hidden Credentials
___________________________________________________________________
QNAP Ships NAS Backup Software with Hidden Credentials
Author : criddell
Score : 54 points
Date : 2021-04-29 20:26 UTC (2 hours ago)
(HTM) web link (forum.qnap.com)
(TXT) w3m dump (forum.qnap.com)
| aborsy wrote:
| It's worth mentioning that, people found that Synology also has a
| default encryption password (same password for all devices):
|
| https://blog.elcomsoft.com/2019/11/synology-nas-encryption-f...
|
| The OpenVPN also had a hidden password:
|
| https://www.cvedetails.com/cve/CVE-2014-2264/
|
| The funny thing is that, they didn't even bother to choose a
| longer password (the password is synopass). Even if people
| haven't found them, an attacker brute forcing these passwords
| would easily crack them.
| berkut wrote:
| Now that ReadyNAS (Netgear bought them years ago, but the
| hardware and software was still decent up until recently when
| they stopped releasing updates) seems to have given up in the
| (pro)consumer space (4+ drives), is Synology the only option now?
|
| Asustor and WD seem to be making more advanced and larger drives,
| maybe they're options...
| karmicthreat wrote:
| Synology has always had better software. But they have been
| more expensive and they have been threatening to lock out some
| features unless you use their drives.
|
| There is no real competitor on the market right now except
| QNAP. And who wants to deal with FreeNAS, I have better and
| more important things to do with my time at work.
| cosmotic wrote:
| How is Synology software better?
|
| I've had the pleasure of setting up rsync between Synology
| and QNAP and I would say the Synology software appears to be
| better but actually isn't as good.
|
| Synology appears to use older versions of a lot of tools like
| rsync. Although it doesn't say so, it doesn't rsync the data
| files, it rsync's the files that make up the backing of the
| software-raid. It's like rsync of the blocks of a sparse disk
| image instead of the files within the disk image. This makes
| it impossible to resume or adopt a previous backup. If any of
| the configuration for the rsync-send changes, it appears to
| download the entire remote so that it can compare the
| contents of the files to the local instead of hashing
| remotely, which nearly completely defeats the point of using
| rsync. It took my backup task WEEKS to adopt an existing
| backup that had very few changes.
| karmicthreat wrote:
| I guess within the features I use its been a better
| experience. i use it as a NAS and DVR. The snapshotting and
| change reversion features have saved me a few times where
| engineering employees have messed up their files.
|
| Thanks for the point about NFS though.
| sodality2 wrote:
| > Thank you Walter Shao, best engineer ever! This is really good
| for your CV! Oh, and you owe a few people 0.01 BTC...
|
| Best line of the thread
| bbernhard90 wrote:
| Am I the only one that thinks that connecting the NAS directly to
| the internet is a stupid idea to begin with?
|
| Don't get me wrong, I can totally understand why people (without
| much technical background) are tempted to do this. But with all
| the complexity these NAS systems nowadays have it was only a
| matter of time for something like this to happen.
| ziml77 wrote:
| I think it's insane to do. I wouldn't want to open my NAS up to
| the internet. I can VPN into my home network if I need to
| access it remotely.
| abfan1127 wrote:
| I can't imagine attaching anything directly to the internet
| outside my router.
| criddell wrote:
| And you likely have UPnP disabled.
| criddell wrote:
| I think it's a bad idea as well but I don't blame people for
| doing so because of how QNAP markets them.
|
| Competing products are marketed in the same way.
| karmicthreat wrote:
| Other than your router you should not have ANYTHING directly on
| the internet these days.
|
| There is just too much surface area for device software now and
| cost pressure doesn't allow for security to be much of a
| priority.
| comboy wrote:
| I'd like to hear what HN folks would most comfortably put as
| that router (device/software).
| ClumsyPilot wrote:
| No reason to believe a random offf the shelf router is any
| more secure than any other device
| criddell wrote:
| QNAP shipped Hybrid Backup Sync with hardcoded credentials of
| walter:walter. This was used by ransomware criminals to encrypt
| photos and videos and demand payment in Bitcoin for the password
| to decrypt the data.
|
| From that page:
|
| > The code has 27 occurrences of e-mails: waltershao@gmail.com or
| walterentry20140225@gmail.com in the code.
|
| More information is available here:
|
| https://www.helpnetsecurity.com/2021/04/26/qnap-nas-ransomwa...
| trengrj wrote:
| If you want a small NAS in a similar form factor I'd recommend
| Helios64 5-bay NAS https://kobol.io/. It is an Arm64 board runs
| mainline Armbian. Also comes with 2.5Gbit networking and a built
| in UPS battery.
|
| I don't understand why people who care about security and have
| linux knowledge would use Synology/QNAP. They are both
| proprietary, often exposed to the internet, and packed full of so
| many features that they are consistently full of vulnerabilities
| (SynoLocker/QLocker etc).
| thinkmassive wrote:
| Helios64 looks amazing but they've been sold out for a while.
|
| You had my hopes up for a moment there, haha
| comboy wrote:
| I use it, I don't trust it at all. Everything I put there I
| could put in the open on the Internet. It works fine for
| backups though. It takes care about HDDs, I see when something
| is wrong and can replace them easily. Bonding network adapters
| is a few clicks, and it can send my backups to glacier (to be
| super clear, backups are always encrypted on the machine that's
| making them).
|
| Doing it on your own linux box is just a matter of how do you
| want to spend your time. You can definitely find some
| enclosures, setup some notifications, configure it to work with
| apple backups, set up some raid scrubbing / smartctl monitoring
| etc. For almost every feature I can think of there is a valid
| response like "you just need to do this and that on your
| server". But, as a general statement, anything you want to
| implement really well turns out to be more sophisticated than
| it seemed.
|
| _It looks nice?_
| ed25519FUUU wrote:
| The built-in UPS feature is very cool.
| rkagerer wrote:
| _The latest HBS 3 Hybrid Backup Sync 16.0.0419 has 1215 lines of
| code with the word "walter"._
|
| Walter's a popular guy. (Apparently he's QNAP's Technical
| Manager)
| bastard_op wrote:
| No wonder he was promoted, so he'd stop doing stupid things
| like that. Obviously they've not wiped up enough after him.
| gumby wrote:
| What drives are people buying these days for moderate-load / high
| reliability RAID?
| rhexs wrote:
| I really wish there was a small NAS case that didn't look like a
| massive box. The QNAP/Synology 4 bay low power form factor is
| just killer for fitting into small spaces, but if I could put a
| core i5 in one of those with some flash to get some more VMs
| going and run linux or some BSD distro, that'd be incredible.
|
| Smallest one I've found is
| https://www.u-nas.com/xcart/cart.php?target=product&product_...,
| but not quite as compact as I'd hope.
|
| As I can't find DIY hardware like that, Synology looks to have a
| slightly more mature vulnerability response program than QNAP --
| apparently they have a bounty? I've heard about less Synology
| flaws, so hopefully they're a slightly better choice on the
| software side.
| aDfbrtVt wrote:
| I use one of these chassis [1], the form factor is great. Be
| mindful that some of the bracing blocks the pcie slot on some
| motherboards.
|
| [1]
| https://m.aliexpress.com/item/33038670915.html?spm=a2g0n.pro...
| jchw wrote:
| QNAP has some enticing out of the box NAS products, but I guess I
| feel a bit better having chosen Synology.
|
| That's not to say I necessarily love any of these vendors too
| much. They feel a bit too much like feature mills that have lower
| incentive to adopt better security practices and higher
| incentives to add features and, well, provide a decent user
| experience. I appreciate the latter, but it isn't ideal.
|
| Still, as much as I'd love a NAS running open source software and
| maybe even open hardware, I think the amount of time and effort
| spent on doing so would not be well rewarded. So for now, I guess
| I'll ride the useful life of my Synology NAS out and go from
| there.
|
| As for this incident, it is embarrassing, but it happens.
| Hopefully this will motivate more people to do security research
| on these devices.
| zf00002 wrote:
| I am still happily running FreeNAS 11. I haven't updated to 12
| and it's name change to TrueNAS. Anyway, the amount of
| janitoring I have to do with it is very minimal. Over the last
| year, less than 1 hour of time spent total.
| coffee_is_nom wrote:
| Another very happy freenas user, been running freenas (now
| truenas) for 8 years. Other than hard drive upgrade and one
| hard drive failure it has been pretty smooth. My overhead in
| last year has been maybe 5 hours of upkeep.
| s800 wrote:
| FreeNas user for many years here, very happy in multiple
| environments- small home/office stuff and larger
| "production" environments.
| buro9 wrote:
| Synology on the other hand just remove file systems that you
| may be using https://news.ycombinator.com/item?id=26800062
| LeoPanthera wrote:
| Your one-line summary of the situation is wildly misleading.
| You had to migrate disks from devices that support btrfs to
| devices which were _advertised as not supporting it_ , but it
| just happened to work.
| knrdjngr wrote:
| Is there an official statement regarding the exploit? What
| should/can you do at this point to ensure access to your data?
___________________________________________________________________
(page generated 2021-04-29 23:00 UTC)