Command injection and backdoor account in D-Link NAS devices

I&#x27;d assume that every consumer NAS device is insecure these days. I had a Terramaster NAS and was hit with a ransomware attack because of the poor security of their OS through a feature I had turned off. It caused me to look into it more and realized that all of the consumer NAS devices have had similar security issues.<p>You are far better off getting cheap hardware and running TrueNAS or Unraid on it as they actually get regular software updates and don&#x27;t have a history of major security issues.

The thing of interest is that although the DNS-320L, and the other D-Link NASes, is EOL (End Of Life), there are more than 90,000 devices still operating out there!<p>The bad thing here is that many manufacturers, even big ones, tend to forget “old” products and drop support for them. Usually it’s a market&#x2F;business decision, but this is what happens with closed systems :-(<p>Quoting from <a href="https:&#x2F;&#x2F;www.dlink.com&#x2F;uk&#x2F;en&#x2F;products&#x2F;dns-320l-sharecenter-2-bay-cloud-storage-enclosure#support" rel="nofollow">https:&#x2F;&#x2F;www.dlink.com&#x2F;uk&#x2F;en&#x2F;products&#x2F;dns-320l-sharecenter-2-...</a> :<p>&gt;&gt; This product was phased out on: 13&#x2F;11&#x2F;2017<p>&gt;&gt; This product&#x27;s last date of support is on: 13&#x2F;11&#x2F;2019<p>Being an owner of 320L, I don’t expect D-Link to offer us an updated firmware any time soon.

When my bosses want to know why a quote for a device like a NAS is thousands and thousands of dollars instead of hundreds of dollars I use examples like this.<p>Running consumer gear, especially public facing internet consumer gear is just asking for trouble.<p>TrueNAS&#x2F;FreeNAS whatever it’s called these days - a real OS with real vendor and community support keeping the project alive and up to date is just necessary.<p>Buying these consumer devices that are set and forget with limited or zero firmware updates is BAD. Not to mention the code quality and unknown closed source backdoors

As I understand, the problem is that authentication used users from &#x2F;etc&#x2F;passwd and allowed to log in as any user, even as system user like &quot;messagebus&quot; which has no password. It is annoying that linux software uses system database for authorization, for example, Postgres and Samba do this and there is always a risk that you have some system user you don&#x27;t know about which can be used to access your system.

Ask HN: Are there any hardware manufacturers that can be relied upon <i>not</i> to have big security problems?

Synology DSM and apps are closed source. It’s a Taiwanese company, and I wonder to what extent it can be trusted?<p>Anyone has information on the security of DSM? Like, is it compliant for use in sensitive departments?

I’m surprised that there aren’t projects that aggregate a bunch of these known exploits together with these security search engines to find vulnerable devices and use them to create a TOR-like network of proxy server nodes. Presumably most of these vulnerable devices are running in homes of consumers with residential internet, making the traffic hard to identify as being from a VPN service. Not that I’m suggesting anyone actually do this since it would be highly illegal…

I see IoT devices are still the weakest link in any network.

Remember the recent stories about how FOSS is inherently less secure than proprietary systems - and because of the xz exploit, which was infinitely more complex? I&#x27;m trying to remember a FOSS system with a hardcoded, passwordless backdoor - it&#x27;s a big world; there must be some. I almost expect a backdoor (though with a password!) in a consumer NAS.<p>I don&#x27;t knee-jerk reject proprietary solutions. And they might have an advantage if there was liability for this sort of thing. D-Link should be paying hefty fines for selling this obviously substandard, unprofessional crap to the public.

This is why I always use an encrypted file system, where the encryption keys are only known to the client (and not the NAS or other storage provider).

I bought used DNS-320L and first thing is to load it with ALT-F alternative firmware. Worked great but device was too slow for my needs.

Have I woken up in some universe where the word “backdoor” doesn’t mean what it used to? I am used to backdoor implying malicious intent on the part of the vendor &#x2F; author, or something left by an attacker. I’m just not seeing that here. This just looks like utterly unsurprising incompetence on the part of a consumer networking &#x2F; IoT gear manufacturer. Yes, I know what a literal ‘back door’ is, and yes, I know that “make it look like incompetence” could be a strategy. I’d partially blame people being all hot and bothered about xz, but I can see that these files were committed two weeks ago.

How did this pass code review?