back to article Patch now before you get your NAS kicked: Iomega storage boxes leave millions of files open to the internet

Lenovo is emitting an emergency firmware patch for Iomega NAS devices after the network-attached storage boxes were discovered inadvertently offering millions of files to the internet via an insecure software interface. Infosec outfits Vertical Structure, based in the Northern Ireland, and WhiteHat Security, headquartered in …

  1. Anonymous Coward
    Anonymous Coward

    Computer says no.....

    Why would anyone put a raw NAS box directly facing the internet ?

    or even how would anyone put a raw NAS box directly facing the internet. It must take some effort to remove a firewall and give it a public IP address...

    1. monty75

      Re: Computer says no.....

      Poorly configured uPnP would be my guess. A lot of these home NAS thingies make themselves accessible from the internet so you (or anyone else in this case) can access your files when away from home.

      1. Halfmad

        Re: Computer says no.....

        Which is why I still haven't bought one even though it'd be handy to have a NAS backing up to my offsite backup rather than my PC.

        Just not sure I trust these cheap NAS boxes.

      2. Anonymous Coward
        Anonymous Coward

        Re: Computer says no.....

        You know that thing, where True IPv6 Believers say that NAT in IPv4 serves no useful purpose and it shouldn't be part of IPv6.

        This kind of thing will happen more often with a (NAT-less) IPv6.

    2. Kevin McMurtrie Silver badge

      Re: Computer says no.....

      There are numerous issues with routers provided by ISPs. If you purchase static IP addresses, the installer will typically configure the router to use them for DHCP. Customers may also turn on IPv6 pass-through rather than use the more complex, and often buggy, IPv6 firewall rules for each device. Fixing your own ISP-provided router is hard as hell unless you can hack together another internet connection for looking up secret instructions and bug workarounds.

      1. Muscleguy Silver badge

        Re: Computer says no.....

        Gosh, you mean we need convenient handheld computers with cell mobile chips in them and data plans which mean they can look stuff up on the interwebnets?

        Quick, let's invent one. I'm sure we could make a mint. Maybe we could make it run windoze?

        1. Snake Silver badge

          Re: looking up stuff...

          Have you ever looked at a good majority of ISP-supplied router firewall rules? They are text rules based.

          You usually get 3 pre-configured system settings of:

          - "Default", which are the ISP rules;

          - "Disable" which is 'I'm food, eat me!, and;

          - "Custom", which usually presents you with a completely blank rules page where *every port and exception rule must be written in rule-context text, created from scratch*.

          You would be far more comfortable to simply poke your own eyes out with a hot soldering iron than to create a entire text-based port rulebook from scratch, incoming *and* outgoing. Which is what the cheap ISP, intentionally stripping down the UI to such bare-bones, prefers you do rather than fool around with their choices.

    3. Youngone Silver badge

      Re: Computer says no.....

      MY QNAS box has two NICs and can act as a gateway for the whole network, with DHCP, DNS etc but I don't really trust that device either, so it is behind a pfSense box and acts as disc space only.

      Which is what NAS really means as far as I'm concerned.

  2. Lee D Silver badge

    STOP OPENING PORTS TO THINGS THAT DON'T NEED PORTS OPEN!

    Seriously, nothing to do with the firmware or whatever... what the hell is a NAS with those kinds of documents doing handling raw packets from the Internet?

    I *BET* this is a UPnP thing too... where the box just says "Hey, open all these ports and point them at me" and people's stupid networks just obey blindly without any notification.

    Firewalls are supposed to work BOTH WAYS people. Not letting in anyone who shouldn't be in, not letting anything talk out that shouldn't be out, and NOT blindly doing so automatically or operated by someone who just cuts holes in the damn thing unthinkingly "to make everything work".

    An analogy I use... every port-forward is like drilling a hole in your marble worktop, or punching a hole through your house's outer wall. Sure, you have to do so occasionally. Of course it's necessary for some parts to work (e.g. taps). But you don't go drilling more and more and more holes just because it makes it easier for the electrician, and you don't make the holes any larger than necessary and, when you're done with that hole, you fill it back in.

    I have less ports forwarded (never just open, but forwarded to another machine on an enclosed VLAN) than almost anyone else in the same industry as me, and yet I offer far more services on-site than anyone else in the same position.

    Unless you are running, deliberately running, a server on a well-known port, you do not open (incoming) ports. And you disable UPnP on any gateway device immediately upon receipt (clients can request UPnP all day long from their UPnP services if they like, but it's the gateway that actually acts upon them).

    And all "servers" should be treated as such - updates, security, authentication, least-privilege, auditing, logging, and where possible proxying between them and the outside world too. (I once get marked down in a security audit involving an external penetration test because they were unable to query my webservers directly as they all showed up as a Squid/Apache reverse proxy. "Obviously" that stopped them being able to look for version strings and query vulnerability to ridiculous URL constructions like "../../../.." etc. so they marked me down... despite the fact that that's *precisely* why that's in place)

    1. A random security guy Bronze badge

      What part of UPnP did you not get? </Sarcasm>

      The UNIVERSAL means everyone can plug it in any ANYONE can play with it. Woe be to anyone who prevents hackers from accessing it.

      More seriously, I was at Sun during the Java wars and attended a UPnP conference in Redmond. Strangely enough, one of their main architects happened to sit next to me during lunch. So I point blank asked him if UPnP had any security. And he answered honestly that they had none and they were probably never going to even though it was a bad idea. That time MSFT was gong-ho about functionality and security be damned. It has changed since then but the detritus is still floating around.

  3. Bigdavemc

    I have had my Lenovo hacked and ransom is being asked for. Do I have any come back with Lenovo ?

    1. Anonymous Coward
      Anonymous Coward

      If you can hire expensive enough lawyer types, then probably yes.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021