Yet Another IoT Hack: A demonstration of discovering and exploiting security vulnerabilities in the TerraMaster F2-420 NAS

Presented at ToorCon San Diego 20 (2018), Sept. 15, 2018, 2 p.m. (50 minutes)

Security and the Internet of Things (IoT) are commonly discussed, though rarely in a positive light. In 2018, the state of security in embedded devices appears to be a continuation of this trend, according to research performed by Independent Security Evaluators (ISE). As part of our research, we have looked at a variety of devices aimed at the professional consumer and small business market including the TerraMaster F2-420 Network Attached Storage (NAS). In the F2-420, we found several glaring vulnerabilities, including some that allow remote attackers to gain root access without any authentication. In the course of a few days, ISE obtained 24 CVEs for vulnerabilities we discovered in the TerraMaster F2-420. This presentation will cover some of the issues affecting the NAS, and provide sample attack workflows for compromising a network-accessible F2-420. More importantly, it will describe a methodology for finding vulnerabilities in embedded devices by examining all available attack surfaces.


  • Joshua Meyer
    Joshua Meyer has had a passion for technology since an early age. Growing up in a small town in Maryland, Josh spent a lot of his time learning about different computing concepts. Josh graduated from University of Maryland, Baltimore County with a bachelors degree in computer science and likes to remark that he studied how to write code, but spends his days breaking software. Josh is an Associate Security Analyst at Independent Security Evaluators, a firm of security specialists that provide a wide range of services including custom security assessments and software development.


Similar Presentations: