The researchers also said the photo application, which helps users organize photos, provided easy access whether customers connect their NAS device directly to the internet themselves or through Synology’s QuickConnect service, which allows users to access their NAS remotely from anywhere. And once attackers find one cloud-connected Synology NAS, they can easily locate others due to the way the systems get registered and assigned IDs.
“There are a lot of these devices that are connected to a private cloud through the QuickConnect service, and those are exploitable as well, so even if you don’t directly expose it to the internet, you can exploit [the devices] through this service, and that’s devices in the order of millions,” says Wetzels.
The researchers were able to identify cloud-connected Synology NASes owned by police departments in the United States and France, as well as a large number of law firms based in the US, Canada, and France, and freight and oil tank operators in Australia and South Korea. They even found ones owned by maintenance contractors in South Korea, Italy, and Canada that work on power grids and in the pharmaceutical and chemical industries.
“These are firms that store corporate data … management documents, engineering documents and, in the case of law firms, maybe case files,” Wetzels notes.
The researchers say ransomware and data theft aren’t the only concern with these devices—attackers could also turn infected systems into a botnet to service and conceal other hacking operations, such as a massive botnet that Volt Typhoon hackers from China had built from infected home and office routers to conceal their espionage operations.
Synology did not respond to a request for comment, but the company’s web site posted two security advisories related to the issue on October 25, calling the vulnerability “critical.” The advisories, which confirmed that the vulnerability was discovered as part of the Pwn2Own contest, indicate that the company released patches for the vulnerability. Synology’s NAS devices do not have automatic update capability, however, and it’s not clear how many customers know about the patch and have applied it. With the patch released, it also makes it easier for attackers to now figure out the vulnerability from the patch and design an exploit to target devices.
“It’s not trivial to find [the vulnerability] on your own, independently,” Meijer tells WIRED, “but it is pretty easy to figure out and connect the dots when the patch is actually released and you reverse-engineer the patch.”