Have you ever wondered how you can access your family pictures on your home network-attached storage (NAS) device remotely from your mobile? Do you know how this magic works? At Pwn2Own Toronto 2022, we chained multiple bugs to exploit both Synology and Western Digital NAS devices by abusing vulnerabilities in the device, cloud and the mutual trust between them.
In our research, we reviewed the pairing mechanism of NAS devices with the WD and Synology cloud platforms. To our surprise, we discovered that devices authenticate to the cloud using a hardware identifier which is later used by users to remotely access their devices. Using this, we were able to impersonate any given NAS device and perform phishing attacks that yielded us admin rights on any targeted WD or Synology device.
In this talk, we will explain the pairing process of WD and Synology NAS. We will elaborate on the overall architecture of their cloud offering and focus on the vulnerabilities we found including ways to enumerate and impersonate all edge devices using certificate transparency log (CTL), and steal cloud proxy auth tokens. This enabled us to download every file saved on the NAS devices, alter or encrypt them, and bypass NAT/Firewall protection to achieve full remote code execution on all cloud-connected NAS (and to gain $$$ from Pwn2Own).
Noam Moshe is a vulnerability researcher at Claroty Team82. Noam specializes in vulnerability research, web applications pentesting, malware analysis, network forensics and ICS/SCADA security. In addition, Noam presented at well-known Hacking conferences like Black Hat Europe, and won Master of Pwn at Pwn2Own Miami 2023.
Terry Sweeney is a Los Angeles-based writer and editor who's covered business technology for three decades. He's written about cyber security for more than 15 years and was one of the founding editors of Dark Reading. Sweeney has covered enterprise networking extensively, as well as its supporting technologies like storage, wireless, cloud-based apps and the emerging Internet of Things. He's been a contributing editor to The Washington Post, Crain’s New York Business, Red Herring, Information Week, Network World, SearchAWS.com, and Stadium Tech Report.