New NAS vulnerabilities are pretty much as bad as they get

If you have a QNAP network attached storage (NAS) device, you’d better make sure the firmware is updated.

Earlier this year, F-Secure senior security consultant Harry Sintonen presented research on a series of vulnerabilities he found in a QNAP network attached storage (NAS) device. Unfortunately, Harry discovered more problems since then. And his newer discoveries are considerably more serious.

“The previous vulnerabilities I found were only useful to an attacker that put themselves between QNAP servers and their targets. That’s a difficult enough step to discourage most attackers from using those vulnerabilities as part of a widespread attack,” said Harry. “But that’s not the case with what I’ve found more recently.”

Harry’s advisory gives a technical deep dive of the new vulnerabilities he found. But basically, they allow attackers to remotely take over the device by using what’s known as a “command injection”. And that’s exactly what it sounds like: an attacker remotely inserts commands for your NAS device to run.

Not only does this allow attackers to access any data the device contains, but they can also do things like delete information, lock out other users (including the device owners), hijack the device for use in further attacks, and pretty much whatever else they want.

Or, as F-Secure cyber security expert Janne Kauhanen puts it, this is pretty much as bad as vulnerabilities get. “These vulnerabilities are easy, attractive targets for attackers. They don’t require any special hacking kung-fu, like special access privileges, to use. Attackers can use vulnerabilities like this to fully compromise the security of the device, as well as the confidentiality of any information it contains.”

And to make matters worse, exposed NAS drives give attackers an opportunity to be a lot more creative about their scams. “A storage device like this can basically be used like an online server,” explains Janne. “It’s easy for attackers to store anything on your device, to run any kind of service from there. From a web shop selling dubious goods or services, to an attack platform launching further attacks all over the internet, leaving you to explain why the attacks originate from your home. Or they can plant some compromising material on your NAS device and use it to blackmail you – what Russians call ‘kompromat’.”

“Online extortion is hugely successful, and in scenarios like this, it doesn’t matter whether or not you actually do something wrong. The only thing standing between you and a motivated extortionist is the security of the devices you depend on,” adds Janne.

So who needs to be worried? Well, Harry used a QNAP TVS-663 during his research to confirm his findings. But the real problem lies in the firmware, which is typically a big problem in a lot of internet-connected devices (routers, webcams, and other inexpensive devices that connect to the internet).

These same vulnerabilities are likely found in any device running the same firmware (in this case, QTS 4.2.3). Harry found almost 90,000 devices that he thinks may be vulnerable. But he limited his search to devices currently online, so the number may be higher.

F-Secure Researcher and QNAP NAS device owner Mikael Albrecht thinks insecure NAS units are a much bigger problem than other Internet of Things (IoT) devices. “As a QNAP owner I’m naturally shocked when reading Harry’s advisory. I’m used to security problems in IoT-gadgets, but an insecure NAS is far more severe. Most of the digital stuff I have produced during my whole life is on that device! Luckily QNAP has a working process for distributing updates, and does it quite frequently.”

And there’s the good news: QNAP has already fixed the problem and released an updated version of the vulnerable firmware. According to Harry’s advisory, they took care of this problem pretty quickly, and much better than the response other device vendors have given when confronted with security problems in their products.

So if you have a QNAP NAS device, you better update it now (or make sure it’s running QTS 4.2.4). In fact, you should consider keeping a closer eye on any internet-connected devices you have to make sure the firmware is updated. The sheer number of IoT devices flooding the market, many of which lack the kind of security people need to keep their information private and safe, gives criminals a lot more ways to attack individuals and companies. So you might as well get in the habit of keeping these devices updated and secure.

F-Secure media relations 

Geoff Dorrington

PR manager, F-Secure UK & Ireland


T: 01753 376592




About F-Secure

Nobody has better visibility into real-life cyber attacks than F-Secure. We’re closing the gap between detection and response, utilizing the unmatched threat intelligence of hundreds of our industry’s best technical consultants, millions of devices running our award-winning software, and ceaseless innovations in artificial intelligence. Top banks, airlines, and enterprises trust our commitment to beating the world’s most potent threats. Together with our network of the top channel partners and over 200 service providers, we’re on a mission to make sure everyone has the enterprise-grade cyber security we all need.

Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd. | |

F-Secure media relations

Adam Pilkey

PR Content Manager

+358 40 637 8859

Press list

Sign up for media information from F-Secure.

We process the personal data you share with us in accordance with our Corporate Business Privacy Policy.

Press archive

By year

Browse through our news by year.

By category

Browse through our news by category.