Hacker News new | past | comments | ask | show | jobs | submit login
My Synology NAS has been hacked by ransomware calling itself Synolocker (twitter.com/mikeevangelist)
180 points by hjuutilainen on Aug 3, 2014 | hide | past | favorite | 150 comments

Wow, so this article was impetus enough for me to get key-based SSH working correctly on my Synology.

Of curiousity, I looked in my Synology's GUI for the logs, and find you can export them to CSV (System Logs > Connections).

I have _a lot_ of this sort:

    Warning,Connection,2014/08/03 21:10:17,SYSTEM,User [root] from [] failed to log in via [SSH] due to authorization failure.
Curious how many distinct IPs, cut/grep/sed/sort:

  cut -d ' ' -f 5 ~/Downloads/connection.csv  | grep -E '[0-9.]+' | sed 's/\[//' | sed 's/\]//' | sort -u | wc
There are 143 distinct IPs, in the 111.x.y.z, 202, 210, 222, etc. ranges:

  ...  cut -d '.' -f -2 | sort -u
I punched a few into (http://www.whereisip.net/index.php) and they're mostly in China (except a 23.9... in Rochester, NY). All the successful log-ins are from myself, at least ( grep 'logged in' ...).

Open the Control Panel, then select Security (under "Connectivity"), then the "Auto Block" tab and check "Enable auto block".

Kiddies will scan, this blocks their IP numbers after N (by default 5) failed attempts to connect to a number of services, including SSH. My synology has blocked large parts of the internet over the past few months. :)

(only my SSH port is open to the outside so that my laptops can synchronize with my Synology via unison over SSH when I'm on the road.)

Our cloud ssh gateway gets literally thousands of hits like this a day to users like root, mysql, oracle, etc.

If you've got an ssh host open to the internet at large, always disable root login and password based authentication.

Any open SSH port will get these kinds of hits.

Change the port your SSH is on to something other than 22.

Does obfuscation help with security? Or does it at least help with identification in some way?

I made the mistake of leaving a copy of my wallet.dat file on a Synology box that had port 5000 open to the net for the Surveillance Station app.

Pro tip: don't do that.

Stop teasing us! How much was in there?

Enough to get my attention (bigtime), but not enough to hurt.

I'm sorry for your loss.

A year or so ago, my Synology NAS got hacked by a Bitcoin mining virus. I only discovered it because a tech blogger tweeted about it and I happened to see it. My Synology was out of date and the virus must have exploited a vulnerability without any action on my part. Without knowing what to look for, the virus was effectively invisible. Given that I'm probably in the top 1% of tech savvy people, imagine how many others must have gotten infected! (I contacted Synology tech support and suggested that they send out an e-mail to their users, but they never responded.)

Unfortunately, last I checked, it's still impossible to have a Synology NAS automatically update itself.

That was a kinda "funny" virus. I got it too. How did I find about it? The fans kept spinning. Usually my syno is really quiet, you can only hear the drives. But that mining exploit made the cpu > 90% and the fans had to do their job.

So after a quick search, I discovered what it was all about, and some days later Synology released a nice update that got rid of it.

You can't auto update, that's true, but you can receive email alert for each new release of the DSM. You can also do that for each package installed. So, all in all, that good for me: I don't want my NAS to auto update when I'm not there, as I also usually wait a week or two before updating.

It does have an auto-update function of sorts, but the Bitcoin miner virus disabled it.

you can set it up to send email notifications when an update is available

I was just about to post something similar. Although I was lucky not to have the Cryptolocker or Synolocker.

My syslog shows a few people have accessed my NAS this month.

This is worrying.

Why is it open to the internet?

Don't do that.

You say it was "behind your router" but I think you've specifically opened ports to your NAS (or you have some sort of NAT and the NAS has done it)

Restrict access (if you must open it to the internet, open to only specific IP addresses) or better yet disable it, and use an ssh port-forward if you really have to get to it.

I don't have any Synology products, but I have a few things on my home network that I like having access to remotely, and my solution has been to put a Raspberry Pi running dyndns and OpenVPN between my home network and the open internet. This way I only need to make sure the Pi is up to date and that OpenVPN is configured and hardened properly, and my potential attack surface area doesn't change no matter how many things I add to my network that I want to access remotely.

So you advocate to buy a NAS and then disconnect it from the Internet, for security reasons? Might just as well turn it off completely, if your use case is similar to mine.

Is it really to much to ask to use the Internet as it was intended? We should consider these products broken.

Was it directly connected to the internet? Do you know how they got access? I am now worrying about my synology, but I am away from home for the next few days.

It was behind my router. My quick scan on log from 2011 shows i had no such problem, until recent months when they started to attack on Synology and turning them into Bitcoin miner.

So there were no open ports being forwarded to the Synology NAS?

It probably UPnP'ed itself out.

(Edit) Or it might've been checking for updates, got redirected elsewhere via a DNS hijack, downloaded something funny, didn't bother to check if it's authentic and installed it.

How do you think they accessed your NAS?

Really, there aren't that many ways to gain access. Two primary and likely methods:

1) Weak passcode. 2) Security exploit in DSM.

The fixes are easy; better passcode, and turn off remote access to the device until whatever flaw(s) can be patched.

you would still need to have ports forwarded to the NAS from the internet, a compromised router, or the NAS connected directly to the open internet. All of which are a bad idea.

If the device is vulnerable to a CSRF, then couldn't it be compromised simply by some browser on the LAN ending up on an unfortunate site that does some javascript hijinks to POST to likely, internal, IP addresses for a NAS? No open WAN ports needed.

Also, wasn't there a remote root exploit for samba4 patched just days ago?


However, there's really no reason to expose samba shares to the Internet. There are much better and more secure methods. As to the unfortunate victim, there's most likely no way anyone will be able to retrieve what has been locked by the remote attacker - except the remote attacker.

Just took a look at my logs. Was it an IPv6 address?

It would be very interesting to know how this happened, I guess this is the downside of using wide spread products.

Usually these types of machines have a web interface so that you can connect to your backups remotely. Once you plug it into a router or a home network it sits there waiting for someone to log-in. And as the saying goes, anything that’s connected to the Internet will eventually be hacked. Either it was misconfigured or there is an exploit in the wild.


You do realize that the NSA and it's ilk are military organizations, right? We're (supposed to be) a nation of laws with due process: it's extremely worrisome to a free and open society to have the military go after criminals. That should be handled by law enforcement and the judicial system.

You know what would actually be useful though, since we're talking about taxpayers reaping benefits from the government? How about a non-military government agency that does computer security research, but instead of hoarding all the exploits, they share them with the public through well-financed and organized open source projects?


Let's get this straight. Can your position be correctly defined as: Blackhats are accused of breaking the law, therefore, they are not entitled to due process and legal representation in court? In addition, the military is allowed to make a hostile response with any offensive network resources they have available?

It's not really the NSA's jurisdiction to handle crimes like this. You're better off contacting the FBI, however it's probably wayyyy down on their list of stuff to worry about.

They do have a Cyber Most Wanted list: http://www.fbi.gov/wanted/cyber

Actually the FBI and the NSA 'handle' such crimes, they commit them themselves as we all know thanks to Edward Snowden …

Some examples: https://en.wikipedia.org/wiki/NSA_ANT_catalog

(We can of course pretend that they will go only after the bad guys and we have nothing to fear, maybe the only way to stay sane?!)

I've have my synology hooked up to the net and have seen a LOT of attempts in the past few weeks to log into root / sh from what looks to be Chinese IPs.

This is pretty normal for ANY device connected to the internet. I configure all my servers (including my synology box) to only allow ssh logins from certain IP addresses.

I had sever running on a bare ip on AWS address that was never publicised and only ran ssh and a custom node.js server I saw tones of dodgy attempts from Russian and Chinese ip.

Just a warning, watch which Twitter accounts you click on in that stream - some very graphic Gaza/Syria imagery in there.

As a first response, stop the port forwarding on your router.

Then wait for more info from Synology. I generally don't connect mine to the internet (inbound). I don't like the risks involved.

I wonder how many tech-savvy users have a complete reporting firewall, controlling in/out connections at home as opposed to a router with a custom password attached online.

I've been pondering the idea of a more feature rich router/firewall device for my home connection. Something that would do like you say report, log, audit, etc. Any suggestions for specific model or models to look at?

I happily run OpenBSD as my firewall. It's developed by competent people who care about what they are doing and who take pride in their work. But it's general purpose Unix, it's not just a firewall or router.

Which means that it's more work to administer than something developed as a dedicated router or firewall.

Also I'm running on a generic x86 computer. I pay about $1/yr per watt drawn 24x7, which means my firewall costs me about $80/yr just in electricity. A smaller "appliance" type firewall would certainly have much lower operating costs.

Sorry I don't have any suggestions more tailored to your request. I'm just letting you know what works for me.

I run a beaglebone black, which draws about $4.82 dollars of electricity a year once I've plugged in all the externals (at $0.11c/kwh).

Wow, what's your price per kWH and what (rough) location?

8760 hours = 1 year


a 1 Watt device running 24x7 = 8.760 kWh

billed at about $0.40/kWh [includes both generation and delivery and normal for NE USA - ain't deregulation great?!] ~ $3.50 per year.

In order to get to $1.00, total cost per kWh must be about $0.114 ...

Thanks, turns out I've had the wrong maths for this in my head for years!

me1010 beat me to it, I didn't know that HN keeps people from posting too often. It imposes a timeout! I know now! Anyway, here's my post, same cost info as he has. But I also had a discussion of power in various areas:

Portland Oregon metro area. Unfortunately for pricing the utility is Portland General Electric. Some places in the area have "people's utility districts", i.e. publicly owned. Those get preferential pricing from the govt, i.e. Bonneville Power. And the price per kWH is of course variable like in most communities (e.g. because of lifeline pricing).

Overall I'm paying about $0.12 per kWH. There are 24x30x12 hours in a year = 8640 hours. Therefore a kilowatt costs $1037 per year. Approximately.

I'm relatively happy, all things considered. It would suck to live in the People's Republic of California. My understanding is that peak pricing in some communities there could be 3x or more than what I'm paying.

Aha. The storage decisions I make will have to be a bit different given that I'm paying around $0.31 per kWH.

Thanks for that.

Maybe a ZyWall? The problem with more advanced routers is that they are a pain to set up and that you will most likely use features in comparison to a consumer router.

pfSense works great for me, been using it for a few years now.

Carambola 2 + OpenWRT or FreeBSD (if you are very tech savvy). Then using remote syslog to log everything on another device (RPi?). There you could run analytics.

I'm guessing this only affects you if you have their EZ-Internet service enabled that exposes the NAS to the public internet. Or if you exposed it yourself on your firewall.

I've had a Synology NAS for almost a year now. I really like the UI, but the software stack they're using under the hood (Apache, PHP, MySQL, etc.) has a massive attack surface, if not routinely kept up-to-date.

Here's an nmap trace from my Synology DiskStation: amber@leysritt ~ % nmap -A <redacted>

  Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-03 23:06 BST
  Nmap scan report for <redacted>
  Host is up (0.011s latency).
  Not shown: 987 closed ports
  22/tcp   open  ssh         OpenSSH 5.8p1-hpn13v11 (protocol 2.0)
  | ssh-hostkey:
  |   1024 <redacted> (DSA)
  |   2048 <redacted> (RSA)
  |_  256 <redacted>  (ECDSA)
  80/tcp   open  http        Apache httpd
  |_http-generator: ERROR: Script execution failed (use -d to debug)
  |_http-methods: No Allow or Public header in OPTIONS response (status code 301)
  |_http-title: Did not follow redirect to http://<redacted>:5000/
  111/tcp  open  rpcbind     2-4 (RPC #100000)
  | rpcinfo:
  |   program version   port/proto  service
  |   100000  2,3,4        111/tcp  rpcbind
  |   100000  2,3,4        111/udp  rpcbind
  |   100003  2,3         2049/udp  nfs
  |   100003  2,3,4       2049/tcp  nfs
  |   100005  1,2,3        892/tcp  mountd
  |   100005  1,2,3        892/udp  mountd
  |   100021  1,3,4      33154/tcp  nlockmgr
  |   100021  1,3,4      38187/udp  nlockmgr
  |   100024  1          44039/tcp  status
  |_  100024  1          53309/udp  status
  139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: REDACTED)
  161/tcp  open  snmp?
  445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: REDACTED)
  515/tcp  open  printer
  548/tcp  open  afp         Netatalk 2.2.3 (name: redacted; protocol 3.3)
  | afp-serverinfo:
  |   | Server Flags: 0x8f79
  |   |   Super Client: Yes
  |   |   UUIDs: Yes
  |   |   UTF8 Server Name: Yes
  |   |   Open Directory: Yes
  |   |   Reconnect: No
  |   |   Server Notifications: Yes
  |   |   TCP/IP: Yes
  |   |   Server Signature: Yes
  |   |   ServerMessages: Yes
  |   |   Password Saving Prohibited: No
  |   |   Password Changing: No
  |   |_  Copy File: Yes
  |   Server Name: redacted
  |   Machine Type: Netatalk2.2.3
  |   AFP Versions: AFP2.2, AFPX03, AFP3.1, AFP3.2, AFP3.3
  |   UAMs: Cleartxt Passwrd, No User Authent, DHX2, DHCAST128
  |   Server Signature: redacted
  |   Network Address 1: redacted
  |_  UTF8 Server Name: redacted
  631/tcp  open  ipp         CUPS 1.5
  | http-methods: Potentially risky methods: PUT
  |_See http://nmap.org/nsedoc/scripts/http-methods.html
  |_http-title: Not Found - CUPS v1.5.4
  2049/tcp open  nfs         2-4 (RPC #100003)
  3689/tcp open  daap        mt-daapd DAAP
  5000/tcp open  http        Apache httpd
  |_http-generator: ERROR: Script execution failed (use -d to debug)
  |_http-methods: No Allow or Public header in OPTIONS response (status code 302)
  | http-robots.txt: 1 disallowed entry
  |_http-title: Did not follow redirect to https://redacted:5001
  5001/tcp open  ssl/http    Apache httpd
  |_http-generator: ERROR: Script execution failed (use -d to debug)
  |_http-methods: No Allow or Public header in OPTIONS response (status code 301)

  | http-robots.txt: 1 disallowed entry
  |_http-title: Did not follow redirect to https://redacted/webman/index.cgi
  | ssl-cert: Subject: commonName=synology.com/organizationName=Synology
  | Not valid before: REDACTED
  |_Not valid after:  REDACTED
  |_ssl-date: REDACTED
  | tls-nextprotoneg:
  |   spdy/3
  |   spdy/2
  |   http/1.1
  |_  x-mod-spdy/
  Service Info: OS: Unix

  Host script results:
  |_nbstat: NetBIOS name: redacted, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
  | smb-os-discovery:
  |   OS: Unix (Samba 3.6.9)
  |   Computer name: redacted
  |   NetBIOS computer name:
  |   Domain name:
  |   FQDN: redacted
  |_  System time: redacted
  | smb-security-mode:
  |   Account that was used for smb scripts: guest
  |   User-level authentication
  |   SMB Security: Challenge/response passwords supported
  |_  Message signing disabled (dangerous, but default)
  |_smbv2-enabled: Server supports SMBv2 protocol

  Service detection performed. Please report any incorrect results at
  http://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 40.47 seconds

It's sad that most of the open-source NAS solutions are so bad compared to their commercial counterparts. FreeNAS (and related forks) sacrifice too much flexibility and don't offer anything that you can't easily do yourself with a Linux/BSD server distro.

I'd love to work on an open-source, security-oriented, user-friendly DSM "clone" with the right kind of people. If this sounds like fun or it sounds like something you're currently working on - shoot me an email: amber@fastmail.jp

I also wish there was such a thing as a nice, inexpensive ARM board (~$100) with plenty of SATA ports and upgradable RAM (so you can run huge ZFS pools on it) that you can install your own OS on...

Synology DSM is a GNU/Linux distro. It runs the exact same stuff as any other distro, including the kernel and all services and the filesystem. The only differences between building your own NAS with a good server distro like Debian 'stable' and running a "commercial" Synology box are:

1. The client interface to the NAS.

2. The 'cloud' services.

Only #1 is actually a deliverable with the Synology NAS. And #2 presents a terribly broken privacy policy...

For myself, I'd much rather be running something that I know is updating from an authenticated and keyyed repo than something which is attempting to make the user believe that somehow the "commercial" NAS is magically different than running a regular GNU/Linux distro...

It would be good if that was the only difference, but unfortunately NAS boxes usually lack the competent security updates and the automated delivery mechanism for them.

Compared to a good (i don't really consider Debian "good", since the 2006 OpenSSL screwup) Linux distro: you control your own software, you can make sure it's kept up-to-date and the binaries come from a trusted source (and you can build them yourself, if you want to).

If you're upset about the OpenSSL screwup, you're mad at the OpenSSL project for telling the Debian maintainer that commenting out some code would be OK.

Your beef is with ulf@openssl.org, not the Debian project.


He didn't say that he was a Debian maintainer or planning to comment out the two lines and ship it in a distro, misdescribed what he was commenting out, and didn't provide enough context to make it clear that he'd misdescribed it. (Even knowing what functions the lines he was commenting out were in would probably have been enough to ring alarm bells.)

There's a limit to how much effort the OpenSSL developers should have to put into stopping people from shooting themselves in the foot, and tracking down lines of code identified only by their line number in an unspecified version of OpenSSL to make sure they do what some random guy on the mailing list thinks they do is way over that limit.

I'm upset that in the year 2014 we still think that having the package maintainers patch ancient software instead of providing latest upstream versions is a good idea. I'm a big fan of the *BSD package management model - they give you a stable core, you pick your own (upstream, possibly bleeding-edge) versions of everything else.

I'm not sure what you mean...

Are you comparing the Synology GNU/Linux distro to Debian or some generic [non-Debian] distro to Debian?

If you are comparing Synology to Debian, then the "trusted" source argument is entirely flawed. The source, meaning both source code and source of software, of software running on Synology hardware is not Synology. Synology only makes the GUI client that runs on your machine that locally interfaces to the NAS box.

As to the Debian 2006 SSL problem... stuff happens... Apple had some silly security problems too, much more recently than 2006. And Android is so full of holes, it's a wonder the platform works at all...

However, when the generalized public buys a NAS product -- the vendor should indicate the potential security problems regarding "cloud" connections in big bold letters on the box and in the manual and have a large red warning that pops up in the user interface. My guess is most users wouldn't care, but it actually is extremely risky to connect these devices to the wild wild west open Internet.

Surely you'd need to write it yourself. Well, no - what if the compiler is compromised!


I think I trust my compiler to generate clean assembly more than I trust a commercial company like Synology to write secure software

I've hacked my own Synology through it's "cloud services" setup, to the point where I uploaded a privlege escalation exploit (for the really old kernel). It was frighteningly easy, so now it's firewalled off on my local network :(

Did you contact Synology to report the vulnerability?

Someone already had, I didn't find the vulnerability on my own. I merely played with it to see how bad it was

How could they possibly not be aware?

Probably because nobody has contacted Synology to report the vulnerability

If they read their own customer forums, they're aware.

If they don't, they're almost criminally negligent, so you wouldn't want to buy from them anyway.

I am currently running FreeNAS for my home storage, was is it that you are missing?

I used to run as simple Ubuntu server with NFS, but realised I just want the simplicity of a web interface over doing it over ssh.

IMO ARM is kind of a wash when it comes to NAS - with modern chipsets most of your power goes to keeping the disks spinning. My C2550D4I file server build I just completed uses about 60W in idle. By my calculations ~40 or so of that is the power used by the 8 disks plus SSD boot drive.

x86 chips are more then suitable for the application since you're no longer in "ultra ultra low power" territory (and for ZFS, are beneficial because you want those checksum calcs to finish fast).

I agree, but I can buy two entry-level Synology DiskStations for the price of one C2550 CPU+MB bundle. I really like that CPU and I would buy it in a heartbeat to replace my Synology, if the price didn't include the "GenuineIntel tax".

When I bought it, my HP MicroServer cost less than any equivalent ARM NAS, it has ECC RAM too.

I also went with an HP MicroServer, but only just heard about their somewhat recent policy change of requiring a valid warranty or paid service plan to obtain firmware and software updates.


Same. I went that route because a NAS of any appreciable capacity was going to cost more for the box and no disks then my entire setup put together.

Can the disks spin down at all in your set up?

I've been looking at those processors for a while (Intel Avoton C2550). Was there any advantage to going up a few models in that series?

I have a dumb question: How are they using ZFS on these? I thought ZFS was incompatible with GPL, which was a stumbling block for implementing it in linux. Don't tell me they're using FUSE.

Or do these NAS machines all run some BSD variant?

Most of these appliances aren't using ZFS. They are using mdadm with ext4.

There's http://zfsonlinux.org/ The ZFS license prohibits it from being distributed as part of the kernel binary, but there is nothing prohibiting source code or a binary for a ZFS kernel module from being distributed separately.

But I have no idea if they use it or not.

You can use it under Linux, but distribution is more involved, at least according to some people.

Use FreeNAS if you want ZFS on a NAS though, it is well supported.

Uh... why was your reletively cheap "nas-in-a-box" exposed to the public internet? I don't even let my NAS as the office be exposed to the internet!

- Also, for what it is worth, FreeNAS is amazing, and is open source.

It's a worrying meme that you shouldn't even expect your internet-connectible devices to survive the internet, and when they break its your fault.

If a consumer device speaks IP and is not designed to survive in a reasonable internet-connected home network, there should be huge warning labels all over it and it should go to some safe-mode with only diagnostic functionality if it detects internet connectivity.

> "It's a worrying meme that you shouldn't even expect your internet-connectible devices to survive the internet, and when they break its your fault."

This has been the go-to techie reaction to security problems since the time of dial-up modems. It's a bad attitude [1], but it's not a "meme". It's the only successful strategy an entire generation of technologically-minded people have found and preached in response to a generation's-worth of terrible software security, slow/absent/can't-be-arsed software providers and under-educated users.

Should things be different? Sure. Attitudes should be better and the software should be better. But so long as the latter isn't reflected in reality, there isn't much hope for the former.

[1] It's a bad attitude because blaming the user puts them on the defensive and reduces the chance of any progress being made.

You can't have your cake and eat it too.

If you want to buy an off-the-shelf "home appliance" you will get just that -- a product where you cannot update firmware/software, reconfigure security and firewall settings, etc. Maybe it's secure the day you buy it -- but in 5 years? With no updates? No way.

If you buy something more enterprise grade -- or, the best option, roll your own with some of the very good options like FreeNAS or OwnCloud, then you will be able to keep it secure and up-to-date. But this takes more effort - and is likely the reason the OP did not opt for one of these very fine options.

> "It's a worrying meme that you shouldn't even expect your internet-connectible devices to survive the internet, and when they break its your fault."

That's not true -- you have an ethernet/network capable device; not an internet capable device -- nowhere on the box does it say "Plug this directly into the open public network in front of your firewall or inside a DMZ. You need to be responsible with your devices. Just because it can serve a web page does not mean it should be accessible over the internet! This is true even with enterprise grade gear.

Saying you want to not worry about security at all but still want to put devices on the public internet that need protection is like saying you want to have a car but don't want to ever change it's oil. Sure, you as an individual can avoid changing oil -- hire a technician. Same goes with your home network.

So no, it's not a bad attitude -- it's irresponsible and/or ignorant home users.

> That's not true -- you have an ethernet/network capable device; not an internet capable device -- nowhere on the box does it say "Plug this directly into the open public network in front of your firewall or inside a DMZ.

It pretty much does exactly that. It's marketed and designed for you to open ports directly to it for its various first-party packages, like PhotoStation, CloudStation, WebDAV, etc. I think it's reasonable to expect that those packages, which are major selling points for this system, should be reasonable capable of working on the public Internet.

> like PhotoStation, CloudStation, WebDAV,

There are secure ways to run things and insecure ways to run things. It's very possible to setup a postfix or exim smtp server as an insecure open relay running on port 25. It's also possible to have either running securely on port 25... And an open port is meaningless by itself. It's the security options applied by the system and application running a service on the port that matter.

The examples you give are just applications that run over http or https... https requires an SSL cert from a trusted CA, and http is a very bad idea for anything that you log into, or that has free access to your home network from the Internet.

I imagine most users skip this step... http://docs.qnap.com/nas/4.0/en/security.htm?zoom_highlights...

Note, the SSL certificate instructions... You can upload a secure certificate issued by a trusted provider. After uploading a secure certificate, users can connect to the administration interface of the NAS by SSL connection and there will not be any alert or error message.


The error message referred to here is the web browser message indicating that the SSL certificate doesn't match a trusted CA, and therefore your "secure" NAS connection might be Man-In-The-Middle attacked... And if you don't upload an SSL cert - and connect via http externally - it means that the most amateur of "bad guys" already has your 30 character username and your 45 digit/character/special character password...

You're right, but I'm not sure that we're saying different things. (FWIW, I actually bought an SSL cert just for my Synology DS412+.)

We don't have enough information to even guess at what the root problem might be, but I contend that this particular piece of hardware is designed for and meant to live on the open Internet. Yes, that's a very scare place. But it's not unreasonable to think that an up-to-date Unix server should be capable of the job, especially when it's vendor explicitly sales it on the basis that it is.

I'm strongly hoping that the vulnerability turns out to be something already patched in a software update and not a 0-day. That would go a long way toward making me feel better about the situation.

> But it's not unreasonable to think that an up-to-date Unix server should be capable of the job

You are right, an up-to-date Unix/Linux server is capable of the job (but still requires routine security maintenance to keep secure!) -- however, this home appliance is far from being up-to-date... by design.

My CentOS boxes at the office update almost every few days... how often does this appliance update? Once a year? Maybe twice if you are lucky. Then how many users are actually applying all updates? Probably very few.

I would further contend that a nas-in-a-box like this can never be secure. The vendor isn't going to update it frequently enough -- not enough users will actually update -- they are likely using old out-dated/insecure versions of various open source projects or worse, crudely hacked together proprietary projects to run the webserver, webui, ssl layer, authentication, etc. By now, the manufacturer has probably already back-burnered this device and moved onto newer models, or will be shortly -- completely abandoning all the current users who will get stuck with a swiss-cheese-in-a-box.

I'll go further and content the only safe and secure way to do this is to go with something like FreeNAS or OwnCloud. Both are current projects with massive user-bases. Both are FOSS projects, and both have a corporate backing if you need support or more enterprise features. Both stay very up-to-date with bugfixes, security fixes, and new features rolling out often. Both have upgrade paths from older versions, etc. Basically, they are much more secure and will stay that way for the life of the project.

> how often does this appliance update? Once a year?

About once a month: http://www.synology.com/en-global/releaseNote/model/DS412+

Synology uses the same base distro across all their devices, so everyone gets updates at about the same time. The device emails me when a new software version is available.

I get what you're saying, but in this case it's totally wrong. They're very active about providing updates to add functionality (even to old systems!) and fix stuff.

So back to my original position: this is not an unreasonable thing to expect to be able to run on the Internet. It's a modern Linux box that gets monthly updates, designed with the explicit intention of providing secure services over the public Internet. It would absolutely suck if that proved not to be the case.

IDK what world you live in, but in my world I'm not getting actively MITMd by "amateur bad guys". If that was the case, my NAS would be the last thing I'd be worrying about.

Also, what security do you expect SSL to provide on a device with copious remote code execution vulns?

I've been running FreeNAS since 8.1... not sure what this person is referring to, I have several jails running on the same machine with all sorts of wonderful services making my life nice and wonderful (huginn, sickbeard, rtorrent, owncloud, subsonic)

I run a similar setup, it provides VPN access for me (mostly to secure connections in public wifis) and runs a TOR node.

As you said, it is cheap, power consumption is ok and it is ready to go after you plug it in.

Maybe http://zfsguru.com/ could use some help.

How does one lock down their Synology? I sadly don't have extensive experience with linux.

No need for extensive Linux experience: Use a secure password for DSM, turn off "EZ-Internet" and other DynDNS-like services, make sure it's connected to your router and not directly to the Internet, don't forward any ports, don't enable DMZ or similar functionality on your router, keep up-to-date with DSM updates, make sure other computers on your network are malware-free (there could be a piece of PC malware exploiting synology devices found on the local network), keep multiple backups in different locations (online and offline) of your most valuable data.

These are just best practices, since we don't know anything about this particular piece of malware yet. They should cover most threats and worst-case scenarios.

If you need access to your Synology device from outside your home network, use a VPN or an SSH tunnel.

> , turn off "EZ-Internet" and other DynDNS-like services, make sure > it's connected to your router and not directly to the Internet, > don't forward any ports, don't enable DMZ or similar functionality on > your router,

Best practices only if you do not want to access your data outside of your local network – and that is probably no longer the standard case since data you cannot access from mobile devices etc. is pretty useless. And for compliance and security reasons, many users and companies cannot legally use cloud services and have to therefore to use a 'private cloud', i.e., some local server, for example a NAS accessible from the Internet. A manual configuration is of course recommendable but in the end, a 'private cloud' has to be exposed to the Internet and you have to trust your software vendor. The most you can usually do is to protect your LAN by putting your 'private cloud' in a DMZ (although for consumers, that is usually not an option since consumer routers do not offer a real DMZ).

As a private user, the best solution I found was to go through BTSync set on a limited set of document folders.

It doesn't need to forward ports or expose the login system. The BTSync server is still a vulnerability, but it's under it's own user and should give less exposure than the other services like the DSFile that check the login/password. Potential damages on a simple breach (i.e. the sharing key leaked or was guessed) should be limited to the shared folders. I hope.

I don't have a device, so I cannot verify. But wouldn't an ssh tunnel achieve the goal of penetrating your NAT externally while still not exposing it to the public internet? Granted that is probably not within reach of most users without a tutorial.

It's called VPN... and yes it works on mobile devices too.

How can I make sure that apps accessing a NAS only use VPN connections? By default, such configuration is not available for OS X and iOS.

On iOS, you can use profiles I guess but that is not a standard function.

Forget the password... Those are broken.

Use keys and only keys instead...


Are all of those services definitely listening outside of your local network?

My favorite Synology vulnerability from the linked list:

'The OpenVPN module in Synology DiskStation Manager (DSM) 4.3-3810 update 1 has a hardcoded root password of synopass, which makes it easier for remote attackers to obtain access via a VPN session.'


I hate to see things like this. I feel horrible for anyone who has to face the realization that there going to actually have to pay a online-terrorist money to get their data back.

Here's to hoping this will only make the tech industry invest more into security, especially for consumer products which are often neglected. Sad that stuff like this needs to happen, but it's the cost we pay.

I don't understand how he got hacked. Anyway, there is a service like fail2ban on the Syno.

And the plot thickens. Synology acknowledged on Facebook and customers are not happy: https://www.facebook.com/synology/posts/10152343606857897

Doesn't this actually un-thicken the plot? :)

Wow, I was just about to buy a Synology this coming week and now I have second thoughts. Now more than ever I'm certain that having only Drobo/Synology is not a good backup solution, but having a backup of the backup is equally important.

1. Never expose it to the internet... Use a VPN if you have to access from outside your network. Most home routers support vpn;s so there is no reason not to

2. You should always have 3 copies of data, 1 working, 1 local back and 1 geo diverse backup (i.e a spideroak, crashplan, or even a friends house) Most people forget the 3rd but what happens if your house burns down?

3. You should have a completely cold backup of important data, this could be a external hard drive that is only plugged in when backups are done, DVD's, Tape Drive, or something else, but what ever it is it should not be accessible to the system with out manual intervention, this will prevent scripts from deleting everything.

Why can't your offsite backup also be your offline backup?

We have this problem at our company where the fastest internet our company can possibly get is 20mbps down/4mbps up - and we make ~20GB of backups each day. Absolutely impossible for us to upload all of it to a server offsite overnight.

For many people internet access speeds are too slow.

it can

Looks like there are at least 150 affected devices: https://www.shodan.io/search?query=title%3Asynolocker

I'm waiting for this bullshit to appear on ordinary routers...

They wouldn't really have anything to hold ransom. Router's usually have hardware reset switches in the back too. Not saying it's not possible, but little to gain by holding it randsom. If they hacked the router, they'd be doing the kind of things they WON'T inform you about, like man in the middle attacks stealing everything from all your user/passwords to credit/bank/personal info.

Well, the reset switch usually causes the bootloader to reformat the volatile partition of the flash.

But there's nothing to stop an attacker from rewriting the "write protected" areas like e.g. a firmware update does.

Consider that many routers these days come with NAS or MediaServer functionality... and thus are a valid target for hackers.

Furthermore, they are often directly connected to the Internet, and there have been numerous remote-root exploits for cheap chinese knock-offs as well as for highly praised manufacturers like AVM.

so they hold your router hostage. then what? you buy another one. whatever.

Again, the dangerous part isn't holding it hostage, it's what they can do to it without you noticing. They can intercept all your network traffic, redirect websites you visit to a server they control, etc.

If you have a hard drive plugged into your router, they can perform the same crypto-lock attack being discussed here. They can also use your router to launch attacks against the rest of your hardware.

If modern routers are delegated to router duty only, this wouldn't be a problem. However, routers these days are for all intents and purposes, specialised home servers with shared media streaming and the like as well. These are value-added functionalities ISPs use to entice new users and I'm sure a fair number of them use these to store photos, connect their USB drives - mine is also a print server for use with non-wifi network printers.

> like man in the middle attacks stealing everything from all your user/passwords to credit/bank/personal info.

If you're logging in or sending financial data over unsecure (non-SSL) connections, you already have a problem.

SSL Strip still works and banks don't care about anything other than providing the illusion of security and standard SSL.

Take for example an old lady down the road who somehow got some futuristic malware on her router. She goes to Bing to search for Wells Fargo to do some online banking (and you know that there is a huge portion of users who only browse the web this way). Hypothetical malware then just runs SSLStrip over the page from bing.com which isn't served over ssl because Microsoft values their bottom line over your privacy and security, which then replaces the link to the https site with http, the router acts as a proxy between http and https so wellsfargo.com is none the wiser. Evil hacker now has poor old lady's password and transfers the money in her account to his own foreign bank account.

This hypothetical scenario is doable even running off of a slow router while not using many more resources than the parental keyword filtering uses. At no point does SSL ever come into play and the top 4 Banks in America (Chase, Citibank, Bank of America, Wells Fargo) don't use HSTS so there's no real way to protect their users from SSLStrip unless a browser includes them in some force SSL list.

> SSL Strip still works and banks don't care about anything other than providing the illusion of security and standard SSL.

Speaking as a security officer for a (non-US) bank, this is not true.

We use EV certificates (to increase visibility vs. standard certs), deployed HSTS over a year ago on most of our propierties, force HTTPS and pin keys wherever we can (i.e. mobile apps). And even if a session is compromised: transactions are screened and verified before execution.

Yes, our chief concern remains the bottom line. Pushing for more trust increases our user base. Fighting fraud avoids compensation payments. Building awareness and implementing technical measures aids both of these goals, so we get to spend a reasonable amount on both.

The UK bank I use doesn't even bother to force HTTPS on most of their site, let alone use stuff like HSTS. They helpfully make use of EV certificates for the bits of the site that are secure though (except those still don't show up differently on many devices).

Does someone have the expertise to set up a Synology OS or DDWRT as some type of virtual machine, run it as a honeypot, and do daily/hourly high-level tests for compromise?

I have a Qnap and they are pretty similar to Synology. Wonder if there is a similar attack against them.

Also curious if this was linked directly to the internet.

Quite possibly. Run an internal and external nmap scan against your device so you at least know the attack surface.

Looks like you gain access to firewall and other security tools if you upgrade the DSM to the latest version.

To Recover your Synology NAS Devices Data from SynoLocker Virus Can Call me at:

+65 9762 7078

That's why I use a firewall in front of it.

Holy shit, after seeing these comments I'm never buying synology

I'm not sure that's entirely fair. No internet device is infallible. Other NAS vendors have had similar levels of bugs leading to exploits.

QNap [1], FreeNas [2], WDC [3] and Seagate [4] for example all have their own issues. Added to that, any device that is inscurely configured as default [5] is going to get hacked.

FreeNas is open source. It has exploits, though notably easier for savvy customers to dig into why they got hacked in the first place.

The real question here is why people need to expose their NAS drives to the internet. I personally don't have a fast enough internet connection to make hosting anything useful. Notably I did try and share my photos with friends and family, but the upload on my DSL is so dire it was a painful experience for all involved.

- [1] http://www.cvedetails.com/vendor/10080/Qnap.html - [2] http://www.cvedetails.com/vendor/9964/Freenas.html - [3] http://www.cvedetails.com/product-list/vendor_id-12782/WDC.h... - [4] http://www.cvedetails.com/product-list/vendor_id-11967/Seaga... - [5] http://www.drobospace.com/forums/showthread.php?tid=141894

I do not think Synology has much to do what it happen. A weak password, an out-of-date Synology software and/or an incorrect setup are all caused by the user.

Synology produces very good products at very affordable prices.

Synology has a vulnerability in their closed down software which allows this... how is this not something they have control over?

Also, this is not the first time this has happened to Synology hardware. Sure, bigger companies attract more attacks, but this is incredibly bad.

Have this proven to have been the case? ("a vulnerability in their closed down software which allows this"). Could you give me a link? Thanks!

If you are affiliated with Synology you should disclose that.

I see that your account is only 19 hours old.

No affiliation. I am sure my account is not the only one recently created. Merely a coincidence.

I own a DS411J. Really happy with it.

You can see that there has been hacks of synology products, right?

You are trolling me, yes? Next you will say Crytolocker is a Windows vulnerability (that is not to say that Windows does not have vulnerabilities).

The problem is that Synology has historically not been very proactive at informing and educating their users about security threats, including very specific ones like this. A company that specializes in selling advanced network appliances to novice users and non-IT pros has a certain obligation to those users, IMHO.

PayPal has been described as "a fraud detection company that also transfers money." That's how Synology needs to think of themselves.

If a few guys ran a Synology NAS with terabytes of dummy data, let the ransomware do it's job, rinse and repeat, would we be able to inflict a huge storage bill on the datanappers? If their storage limit got maxed out, would it stop the ransomware from working?

The ransomware doesn't copy any data off the NAS, it simply encrypts it in place. When you've paid up, they send you the key to unencrypt your data.

"they send you the key"

If they send the key. If I was a criminal, I would minimise contact with the victims.

I gather that historically at least they almost always send the key. At the end of the day they're a business like any other and a few bad reviews will kill their revenue stream. However if they are known to offer fast replies and support, it's a lot easier to convince people to pay up.

Seems so ironic:

Bad guys ransom-ware business dependent on good reviews from 'paying customers' whilst processing support requests for 'license keys' in a timely manner.

"Quick response and delivery. Decrypted as listed in the instructions. Would do business again! 5-stars! Best hackers on eHack."

My bad, for not understanding how it works.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact