A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS

Presented at DEF CON 31 (2023), Aug. 11, 2023, 12:30 p.m. (45 minutes)

Have you ever wondered how you can access your family pictures on your home network-attached storage (NAS) device remotely from your mobile? Do you know how this magic works? At Pwn2Own Toronto 2022, we chained multiple bugs to exploit both Synology and Western Digital NAS devices by abusing vulnerabilities in the device, cloud and the mutual trust between them. In our research, we reviewed the pairing mechanism of NAS devices with the WD and Synology cloud platforms. To our surprise we discovered that devices authenticate to the cloud using a hardware identifier which is later used by users to remotely access their devices. Using this, we were able to impersonate any given NAS device and perform phishing attacks that yielded us admin rights on any targeted WD or Synology device. In this talk, we will explain the pairing process of WD and Synology NAS. We will elaborate on the overall architecture of their cloud offering and focus on the vulnerabilities we found including ways to enumerate and impersonate all edge devices using certificate transparency log (CTL), and steal cloud proxy auth tokens. This enabled us to download every file saved on the NAS devices, alter or encrypt them, and bypass NAT/Firewall protection to achieve full remote code execution on all cloud-connected NAS (and to gain $$$ from Pwn2Own).

Presenters:

• Sharon Brizinov - Director of Security Research at Claroty Team82
  Sharon Brizinov leads the Vulnerability Research at Team82, The Claroty Research. He specializes in OT/IoT vulnerability research, has participated in multiple Pwn2Own competitions, won Pwn2Own Miami 2023, and holds a DEFCON black badge.
• Noam Moshe - Vulnerability Researcher at Claroty Team82
  Noam Moshe is a vulnerability researcher at Claroty Team82. Noam specializes in vulnerability research, web applications pentesting, malware analysis, network forensics and ICS/SCADA security. In addition, Noam presented in well-known Hacking conferences like Blackhat Europe, as well as won Master of Pwn at Pwn2Own Miami 2023.

Links:

• https://forum.defcon.org/node/245710

Similar Presentations:

• ToorCon San Diego 20 (2018) / Yet Another IoT Hack: A demonstration of discovering and exploiting security vulnerabilities in the TerraMaster F2-420 NAS
• BSidesSF 2019 / Journey to Command Injection: Hacking the Lenovo ix4-300d
• ToorCon San Diego 20 (2018) / Shining a light on a black box: Reverse engineering proprietary protocols in Embedded devices