Despite the title of the documentary, KRO Television’s A Gift for the Hackers was fairly original, it was based on evidence and good primary research by Vincent Verweij and his team, and I actually learned something from it after a bit of further research of my own.
Verweij starts off by discussing a certain model of HP printer (I can’t recall exactly which) that allows printing over the Internet. The scandal here was the printers, by default, had little or no password protection. Then he pulled up EMC2/Iomega for a line of NAS products for the same issue.
So both companies (along with several others) got dragged over the coals, and somewhat unfairly considering none of the experts interviewed thought to ask why/how the owners made the devices accessible from outside their networks in the first place. What’s especially telling is that Ricoh’s spokesman for the Netherlands stated he wasn’t aware of anyone accessing the printers over the Internet, which begs the question of whether the products were ever intended to be deployed that way.
The film-makers and the experts they interviewed focused almost exclusively on the need for password protection, but the problem is much bigger than that.
NAS Device Discovery
Anything with a public IP address (including home networks) is being constantly scanned, and using a method well known to malicious hackers and security researchers, I discovered 10,000+ Iomega StorCenter NAS devices and HP printers were exposed on the Internet. Some of them required a login, and others provided access to everything including their admin pages. This actually did come as a surprise to me.
At no point in the following examples did I attempt a login, modify anything or view any personal files. I effectively just visited web pages that were (inadvertently) accessible to anyone who knows the relevant IP addresses:
Since this was pretty much where I drew a line, I couldn’t say how resistant the login screens are against the various methods of bypassing them – Can the passwords be bruteforced? What form of authentication does it use? Is there a URL that takes an attacker straight to the admin page? Is it possible to trick the device into thinking the browser is already authenticated? Are backdoors present in the firmware?
Again, it’s unfair to single out any manufacturer, as these are just an example of something that affects any network with stuff like this exposed to the Internet.
The film-makers focused almost exclusively on personal data being taken from the exposed devices because of non-existent or bad passwords, but this is only a small facet of a much bigger problem that left the NAS devices exposed when they shouldn’t have been, and login screens are just one fragile layer of security.
Another facet of the problem is the corporate data breaches exposed in the documentary seem to happen through the supply chain, where employees of contractors store client information on personal NAS. In this case, we see Verweij obtaining ING’s files because of a KLM executive’s bad security, and an employee of Orange keeping details of Europol’s installation on an unsecured network.
So far I’ve only discussed reading from the storage. It could also be possible to write and upload files to them, potentially making the devices a suitable ‘dropbox’ for indecent material (pick whatever country), or a method of getting malware onto the network disguised as something the owner would regularly access.