[RSS] When NAS Vendors Forget How TLS Works

https://www.interruptlabs.co.uk/articles/when-nas-vendors-forget-how-tls-works

#QNAP #Synology #Pwn2Own #NoCVE

@buherator

Et tu Synology?

QNAP has been notoriously insecure like forever, but I will keep an eye out for updates to my Synology. Not that it runs SMTP, but actively disabling validations for TLS does not spark confidence. In which other areas have they made similar bonehea decisions?

@airwhale Participating in P2O as a vendor is a thing to be respected in the first place. They also wrote a blog about their efforts, but the link is broken - you can probably get it from an archive:

https://blog.synology.com/the-efforts-synology-made-in-pursuit-of-data-security

This is a more technical analysis from the attackers view:

https://drive.google.com/file/d/1MYCNVKkNETkqS-cLJsqHE43Sfm4LZbCO/view?pli=1

In short: they took significant steps forward during the past years, they probably ignored active network attacks (on LANs this may make sense, for Internet comms not so much).

@buherator

Sure, and it was a 3-4 year old model tested too, so good.

I am just thinking that we must have trusted libraries by now that would not ever include such obvious flaws. How many years have Synology been doing this? TLS is like 30 years old, we need to demand and expect more rigour be put into vital software. Enough with the endless excuses…

@airwhale if you enforce TLS checks you'll get a lot of complaints from avg users because shit stops working for random reasons (time desync, cert issued by some new CA etc). My gut tells me that Syn would have disabled verification even if the lib had it on by default (as it should have, we agree on that).

@buherator

Probably.

Guess we’ll have to live with the ”sorry we leaked all your data because we deliberately weakened security for your convenience” approach.

Those skilled Support and Operations teams sure are hurting our profits too.