One of the most scary things that I have found online is the number of people who plug a hard disk into their router so that storage can be shared within their home network, but the security is set so lax that it is also being shared to the world.
That may not sound scary in itself, but if you have shares which do not require authentication, and they get mirrored to the world, things start to get a bit more serious. Add onto that the situation where people scan their passport, their pay slips, their driving license and store it on their NAS. Yeah. Shit just got real.
For what I am going to go through, I want to make a few things clear:
- The NAS I was able to access has now been locked down. I have made a conscious effort to inform as many people as I can when I find they have an open NAS drive. From residential to businesses. I leave lots and lots of files explaining the situation
- No data has been downloaded and stored. I have only taken a couple of screenshots, and any identifiable information has been removed, and the original screenshots destroyed.
- I made all effort to contact everyone I could at the time of finding the security vulnerabilities – the abuse@ contacts were informed as well
- I do not profit from my scanning – I do it to help prevent identity theft, and I ask for nothing in return. The majority of the work was automated.
- I have re-written this article so that it can not be used as a ‘manual’ for stealing information, but more as an informational article to
Using the well known vulnerability search engine Shodan, I was able to use specific phrases to find unprotected shares – about 22,000 globally, North America being the worst culprit, and Russia coming up in 2nd place. Some parts of Africa came 3rd, and Europe came 4th.
Shodan has a method of exporting the records, and so I did, into a nice simple CSV file, with the host name, IP address, country and so on. All great metadata, but not needed for this experiment.
I wrote a script that then looped through these hosts, connected, got a list of shares, and then tested each one to see if it were secured. The majority of shares on each device were, but there were shares which were not. Of these insecure shares, the script blindly copied a standard text file in with a brief description of its existence:
Hello, If you are reading this, it is because your router has exposed your network shares, including any shares that are not password protected. I have not copied any of your files, just left this file here to warn you. Please update the settings on your router to either hide your shares from the internet (WAN), or make sure a password has been set on all your shares. -A
I connected manually to one to check that I was not getting false positives, which it did not. However, what popped onto my screen was very very concerning.
At this point, I immediately disconnected, and fired an email across to Virgin Media (who was this chap’s ISP stating how important it is for this issue to be resolved. However, of the number of abuse reports (including this high importance one), I have not received any response back at all. Not a sausage. I am hoping that they have taken these reports and acted upon them and contacted their customers.
This screenshot is all I have as evidence of how insecure NAS drives can be at home or in business – without the right security settings, you can be exposing your files to the world.
After 100 or so hosts, I stopped my scanning. Part of me feels that I should continue and let people know when they have insecure storage, but part of me is also concerned that I may be leaving myself open to some legal issues, even though the scanning is part of ‘good samaritan’ work to make sure people stay a bit safer online.