NAS security review: Synology DS1515+ running DSM 5.1-5022

Network attached storage vendor Synology claims to have improved its handling of security issues following last year’s ransomware attacks on its users. CSO Australia and Enex Test Lab put its latest version of DiskStation Manager (DSM) on the new Synology DS1515+ hardware through its paces.

Cybercriminals like low-hanging fruit and last year they set their sights on NAS devices manufactured by Taiwan-based Synology.

Early in the year, hackers took over an unknown number of Synology NAS devices to form a distributed crypto-currency mining rig that earned an estimated $600,000 in just two months. Researchers at Dell SecureWorks said it became the “single most profitable, illegal mining operation” to date. The problem was tracked to an unauthorised application running on affected systems.

The first round of attacks would turn out to be a mild annoyance compared to the next wave. In August, hackers struck Synology users again, only this time with a custom piece of ransomware that encrypted potentially terabytes of each victim’s files. Since NAS devices are designed with a capacity in mind, a hacked NAS offers the attackers fairly persuasive leverage when demanding $350 for the decryption key.

In this case, the attackers appeared to have exploited two flaws that Synology had released fixes for but were not applied by users. Clearly there was some room for improvement on Synology’s part to ensure users were running up to date systems. 

Synology released its new 5-bay NAS, the DS1515+, in November running DSM 5.1 and has promised it is “fully guarded against known challenges with automatic security updates”. It also promised hassle-free auditing with the Security Advisor tool “for bullet protection”.

They’re bold claims given the issues users faced last year, so CSO Australia and Enex TestLab put them to the test. Here’s what we found. 

Pen-testing the Synology DS1515+ with DSM 5.1

The unit is a Plus model and is really powerful as a result. For just over $1000 it’s a little expensive for the hardware but with the ease of use and lack of manual configuration it could be worth it.

The evaluation unit shipped with five 500 GB Western Digital Blacks, admittedly very fast drives.

Delivering DSM

The unit we reviewed doesn’t come with firmware; you must download the newest one from the internet, which is good in that you avoid old versions being installed by default. The 186 MB download is a sensible size for most internet links and can be uploaded via a web browser if the Synology NAS isn’t Internet-connected.

Unfortunately, DSM firmware is unsigned and downloaded over unencrypted HTTP, which could allow a malicious Man In The Middle to modify or provide their own version of DSM. The lack of signing may be an intentional trade-off by Synology to allow the IT savvy customise their NAS with ease, but leaves the door wide open to state sponsored espionage.

Passwords and patching

Synology have been regularly patching DSM 5.x to fix any exposed vulnerable services. For the NTP vulnerabilities in December they were only a few days behind Cisco. This is a good improvement over older DSM versions which had updates less frequently (such as those affected by the Synolocker ransomware).

the NTP vulnerabilities in December: http://www.cso.com.au/article/562928/exploits-dangerous-network-time-protocol-vulnerabilities-can-compromise-systems/ 

The downside is that there is no quality checks on password creation. The built-in Security Advisor tool will tell you about lacking passwords, but only if you think to run it. It would be nice if it had standard ‘this password is weak’ warnings which have become commonplace for websites.

Update options for operating system are “always update automatically”, “apply critical updates automatically” and “download but ask me “. This encourages users to keep themselves up to date. This gets our tick of approval.

On the other hand, the packages that run on Synology DSM aren’t set to automatically update by default, and they potentially provide a big attack surface if you install Wordpress and all the other bells and whistles. Administrators can however easily enable automatic updates.

The NAS is quite careful about what it exposes publicly, but an end user could still do something silly on their router (as is most of the instances of SME compromise we see). This isn’t Synology’s fault and is the nature of the market unfortunately. Check all of your publicly facing IP addresses for unexpected/unneeded exposed services periodically – this goes for sole traders up to ASX100.

Synology's Security Advisor is helpful, but is it bulletproof?

Synology now include a “Security Adviser” which gives you a quick way to look for any insecure configurations you may have enabled. While this doesn’t replace a security expert reviewing your environment it is a lot better than most general IT support will manage. This can be run on a schedule and alert you to any new issues (such as a user setting a bad password).

Synology also allows for local encrypted folders. This would be a great idea for business documents and prevents disclosure of documents following a physical theft of the NAS.

Cloud sync — a feature that allows users to sync to public clouds such as Dropbox and Google — and other backup mechanisms when enabled, means you are safer from ransomware infections of your users. Built in local backups also give a level of protection but won’t help you in the case of multiple drive failure, fire or theft. With DSM able to encrypt Cloud backups, and considering cloud hosting, you’d be mad not to use it in an SME setting for added piece of mind.

Another positive sign is that packages have cryptographic signing and the user can determine who to trust. This is a nice touch. If you wish to go outside of the Synology ecosystem, ‘ipkg’ packages are also supported for more esoteric software options. We haven’t evaluated Synology’s approval process but based on the documentation they are making a good effort to keep malware out of their ecosystem.

The verdict

All in all the Synology DSM operating system and 1515+ NAS unit appeared to be a great mix of security, flexibility and ease of use. Outside of going to an Apple iOS style model of “app store only” they have provided an ecosystem of trusted applications to run on the NAS. Based on our evaluation we would recommend Synology NASes for businesses who don’t need a dedicated IT infrastructure but still require a local file server.