[HN Gopher] QNAP Ships NAS Backup Software with Hidden Credentials ___________________________________________________________________ QNAP Ships NAS Backup Software with Hidden Credentials Author : criddell Score : 54 points Date : 2021-04-29 20:26 UTC (2 hours ago) (HTM) web link (forum.qnap.com) (TXT) w3m dump (forum.qnap.com) | aborsy wrote: | It's worth mentioning that, people found that Synology also has a | default encryption password (same password for all devices): | | https://blog.elcomsoft.com/2019/11/synology-nas-encryption-f... | | The OpenVPN also had a hidden password: | | https://www.cvedetails.com/cve/CVE-2014-2264/ | | The funny thing is that, they didn't even bother to choose a | longer password (the password is synopass). Even if people | haven't found them, an attacker brute forcing these passwords | would easily crack them. | berkut wrote: | Now that ReadyNAS (Netgear bought them years ago, but the | hardware and software was still decent up until recently when | they stopped releasing updates) seems to have given up in the | (pro)consumer space (4+ drives), is Synology the only option now? | | Asustor and WD seem to be making more advanced and larger drives, | maybe they're options... | karmicthreat wrote: | Synology has always had better software. But they have been | more expensive and they have been threatening to lock out some | features unless you use their drives. | | There is no real competitor on the market right now except | QNAP. And who wants to deal with FreeNAS, I have better and | more important things to do with my time at work. | cosmotic wrote: | How is Synology software better? | | I've had the pleasure of setting up rsync between Synology | and QNAP and I would say the Synology software appears to be | better but actually isn't as good. | | Synology appears to use older versions of a lot of tools like | rsync. Although it doesn't say so, it doesn't rsync the data | files, it rsync's the files that make up the backing of the | software-raid. It's like rsync of the blocks of a sparse disk | image instead of the files within the disk image. This makes | it impossible to resume or adopt a previous backup. If any of | the configuration for the rsync-send changes, it appears to | download the entire remote so that it can compare the | contents of the files to the local instead of hashing | remotely, which nearly completely defeats the point of using | rsync. It took my backup task WEEKS to adopt an existing | backup that had very few changes. | karmicthreat wrote: | I guess within the features I use its been a better | experience. i use it as a NAS and DVR. The snapshotting and | change reversion features have saved me a few times where | engineering employees have messed up their files. | | Thanks for the point about NFS though. | sodality2 wrote: | > Thank you Walter Shao, best engineer ever! This is really good | for your CV! Oh, and you owe a few people 0.01 BTC... | | Best line of the thread | bbernhard90 wrote: | Am I the only one that thinks that connecting the NAS directly to | the internet is a stupid idea to begin with? | | Don't get me wrong, I can totally understand why people (without | much technical background) are tempted to do this. But with all | the complexity these NAS systems nowadays have it was only a | matter of time for something like this to happen. | ziml77 wrote: | I think it's insane to do. I wouldn't want to open my NAS up to | the internet. I can VPN into my home network if I need to | access it remotely. | abfan1127 wrote: | I can't imagine attaching anything directly to the internet | outside my router. | criddell wrote: | And you likely have UPnP disabled. | criddell wrote: | I think it's a bad idea as well but I don't blame people for | doing so because of how QNAP markets them. | | Competing products are marketed in the same way. | karmicthreat wrote: | Other than your router you should not have ANYTHING directly on | the internet these days. | | There is just too much surface area for device software now and | cost pressure doesn't allow for security to be much of a | priority. | comboy wrote: | I'd like to hear what HN folks would most comfortably put as | that router (device/software). | ClumsyPilot wrote: | No reason to believe a random offf the shelf router is any | more secure than any other device | criddell wrote: | QNAP shipped Hybrid Backup Sync with hardcoded credentials of | walter:walter. This was used by ransomware criminals to encrypt | photos and videos and demand payment in Bitcoin for the password | to decrypt the data. | | From that page: | | > The code has 27 occurrences of e-mails: waltershao@gmail.com or | walterentry20140225@gmail.com in the code. | | More information is available here: | | https://www.helpnetsecurity.com/2021/04/26/qnap-nas-ransomwa... | trengrj wrote: | If you want a small NAS in a similar form factor I'd recommend | Helios64 5-bay NAS https://kobol.io/. It is an Arm64 board runs | mainline Armbian. Also comes with 2.5Gbit networking and a built | in UPS battery. | | I don't understand why people who care about security and have | linux knowledge would use Synology/QNAP. They are both | proprietary, often exposed to the internet, and packed full of so | many features that they are consistently full of vulnerabilities | (SynoLocker/QLocker etc). | thinkmassive wrote: | Helios64 looks amazing but they've been sold out for a while. | | You had my hopes up for a moment there, haha | comboy wrote: | I use it, I don't trust it at all. Everything I put there I | could put in the open on the Internet. It works fine for | backups though. It takes care about HDDs, I see when something | is wrong and can replace them easily. Bonding network adapters | is a few clicks, and it can send my backups to glacier (to be | super clear, backups are always encrypted on the machine that's | making them). | | Doing it on your own linux box is just a matter of how do you | want to spend your time. You can definitely find some | enclosures, setup some notifications, configure it to work with | apple backups, set up some raid scrubbing / smartctl monitoring | etc. For almost every feature I can think of there is a valid | response like "you just need to do this and that on your | server". But, as a general statement, anything you want to | implement really well turns out to be more sophisticated than | it seemed. | | _It looks nice?_ | ed25519FUUU wrote: | The built-in UPS feature is very cool. | rkagerer wrote: | _The latest HBS 3 Hybrid Backup Sync 16.0.0419 has 1215 lines of | code with the word "walter"._ | | Walter's a popular guy. (Apparently he's QNAP's Technical | Manager) | bastard_op wrote: | No wonder he was promoted, so he'd stop doing stupid things | like that. Obviously they've not wiped up enough after him. | gumby wrote: | What drives are people buying these days for moderate-load / high | reliability RAID? | rhexs wrote: | I really wish there was a small NAS case that didn't look like a | massive box. The QNAP/Synology 4 bay low power form factor is | just killer for fitting into small spaces, but if I could put a | core i5 in one of those with some flash to get some more VMs | going and run linux or some BSD distro, that'd be incredible. | | Smallest one I've found is | https://www.u-nas.com/xcart/cart.php?target=product&product_..., | but not quite as compact as I'd hope. | | As I can't find DIY hardware like that, Synology looks to have a | slightly more mature vulnerability response program than QNAP -- | apparently they have a bounty? I've heard about less Synology | flaws, so hopefully they're a slightly better choice on the | software side. | aDfbrtVt wrote: | I use one of these chassis [1], the form factor is great. Be | mindful that some of the bracing blocks the pcie slot on some | motherboards. | | [1] | https://m.aliexpress.com/item/33038670915.html?spm=a2g0n.pro... | jchw wrote: | QNAP has some enticing out of the box NAS products, but I guess I | feel a bit better having chosen Synology. | | That's not to say I necessarily love any of these vendors too | much. They feel a bit too much like feature mills that have lower | incentive to adopt better security practices and higher | incentives to add features and, well, provide a decent user | experience. I appreciate the latter, but it isn't ideal. | | Still, as much as I'd love a NAS running open source software and | maybe even open hardware, I think the amount of time and effort | spent on doing so would not be well rewarded. So for now, I guess | I'll ride the useful life of my Synology NAS out and go from | there. | | As for this incident, it is embarrassing, but it happens. | Hopefully this will motivate more people to do security research | on these devices. | zf00002 wrote: | I am still happily running FreeNAS 11. I haven't updated to 12 | and it's name change to TrueNAS. Anyway, the amount of | janitoring I have to do with it is very minimal. Over the last | year, less than 1 hour of time spent total. | coffee_is_nom wrote: | Another very happy freenas user, been running freenas (now | truenas) for 8 years. Other than hard drive upgrade and one | hard drive failure it has been pretty smooth. My overhead in | last year has been maybe 5 hours of upkeep. | s800 wrote: | FreeNas user for many years here, very happy in multiple | environments- small home/office stuff and larger | "production" environments. | buro9 wrote: | Synology on the other hand just remove file systems that you | may be using https://news.ycombinator.com/item?id=26800062 | LeoPanthera wrote: | Your one-line summary of the situation is wildly misleading. | You had to migrate disks from devices that support btrfs to | devices which were _advertised as not supporting it_ , but it | just happened to work. | knrdjngr wrote: | Is there an official statement regarding the exploit? What | should/can you do at this point to ensure access to your data? ___________________________________________________________________ (page generated 2021-04-29 23:00 UTC)