Beating ransomware: how to secure your NAS
There were two recent hacks on NAS systems: one targeting QNAP devices and one targeting the ASUSTOR. I never understood why NAS brands are all in caps but here we are. I am a strong proponent of de-googling and de-clouding your life and no matter how you do it, using an off-the-shelf NAS or a custom Raspberry PI as a home server, securing it is an important part and it’s on us to do it. As beginning steps, I wrote another article explaining the guest WiFi network, why you should have it and how to use it. I strongly suggest to follow those steps as they will boost your home network security by a great margin. But for now, let’s talk about the first great vulnerability of all NAS systems.
Quick Connect
Synology calls it Quick Connect, ASUS has it as EZ Connect and for QNAP it’s myQNAPcloud Link. If you set it up, you will have to create a cloud account with your NAS provider and enable this service on your router. When you enable it, you will have to also provide your cloud account credentials. In this way, you can access your NAS via a browser URL. The communication happens over the standard HTTP/HTTPS protocol so you won’t have to open or redirect any ports on your router.
Next, when you want to access your NAS from anywhere in the world, you enter your given NAS URL, login using the NAS cloud credentials and you are good to go. There is also mobile app support for this, allowing you to connect your NAS mobile apps using the cloud URL and credentials, again making the NAS available to your mobile apps everywhere. You can see why this is all very convenient. First of all, you don’t need to forward router ports. This is big. Not only it gives you full communications to your NAS without messing with your router, but all attacks that try to inspect and access your network via TCP ports will fail. Next, you have a convenient web HTTPS URL to access your NAS, which means the communication will be fully encrypted and again provides convenience. Instead of remembering your public home IP, you will use the NAS URL. And if your public home IP changes from time to time, again this setup will work automatically.
There are two issues though which make me disable this feature immediately. First, by linking your NAS with a cloud account, security is no longer in your hands, but with a third party provider. Meaning whatever security issues QNAP or ASUS have, undiscovered vulnerabilities, missing updates or whatever, will determine the security of your NAS. This is big because you cannot possibly ever know what security vulnerabilities Synology has on their servers. Or QNAP or anybody else. Sure, the ad on the page will give you all guarantees, they will swear on anything that their security is great. But again: can you know? And in ASUSTOR and QNAP case, they did have an unknown issue which caused ransomware to spread in the home networks of their users.
Which brings us to the second point: there is no way you can mitigate these issues. They are not in your hand. I will say it again: if you have Quick Connect or similar services on, you will be vulnerable of all the vulnerabilities of your online account from the NAS provider. No matter how updated is your operating system, no matter how carefully you encrypt and backup your data, if Synology for example is compromised, the malware will get to your NAS. It will get to your NAS via an encrypted HTTPS, password protected and TLS certificate validated connection, sure, but it will get to your data.
So then considering all this, the best way to increase protection in your home network is not to depend at all on third parties. That way, if you open a port on your home router at least you know about it, you can log access to it and you can close it automatically in case of an attack. The point is that you have control.
Opening access ports to your NAS
Well if you close down Quick Connect and you still want to access your data from somewhere else outside your home network, what do you do? You have to open a TCP or UDP port. Each service provided by your NAS communicates with your devices via a specific port. That will work automatically in your home network because usually your devices will allow connections on those ports. Or you can configure the device firewall to allow it. But from the outside of your home network there is only one way to do it: opening a port from the Internet to your NAS via the router provided to you by your ISP.
The thing is though, if you do that you are exposed to the same threats talked about before, but this time the access won’t be via Quick Connect, it will be straight through the opened port. Directly at your door so to speak. This time the access won’t be mediated by a cloud provider. Hackers will simply find your IP, they will detect your NAS by making a quick port scan and then they have all the time in the world to test all their exploits arsenal against it. Eventually one attack will succeed and your data will again be held captive by ransomware. Again, dead end.
The proper way of accessing your data from outside the home network
Ok so then, how do we do it? Is our data forever locked in the home network? Yes. If you want to be truly secure, you cannot enable cloud services and you cannot open ports to your home network. Without these features, your data is locked inside your network. And that’s a good thing. You can have full confidence that there is no possible attack that can be carried against your network while all your network ports are closed. This is good. This is how ultimate security looks like: there can be no access if there is no door.
Now, you can have a special door into your network: it’s called a VPN. With a VPN you have to open indeed a port on your router and forward it to a home server (a Raspberry PI for example) and on that server you would run a VPN server. This server would have an access account and would provide safe, encrypted communications from your network to the device registering itself in the VPN. But even though this is better than simply forwarding ports straight to your NAS, this is still a door. It’s still an open port that hackers can poke at. It’s a discoverable vulnerability in your network. It’s better of course and we are clearly on the right path, but it’s just another game of who has the latest updates and who has the right skills to find exploits in a service that is always running.
But what if there would be a door made in such a way that nobody would see it? Can this be true? Yes, since the invention of WireGuard. WireGuard is a VPN that does not run on a TCP port, it runs on a UDP port. I am not going to start a full explanation, history and objectives of TCP versus UDP, I am just going to say the easy bit: in order for TCP to work, it requires an active connection that can be detected from outside, while UDP doesn’t. Meaning TCP will answer when getting called, UDP will answer only if it recognizes the call. And the way WireGuard recognizes a call is by requiring it to be signed with a known private encryption key. If the UDP call does not have a recognized private encryption key, the call will simply go unanswered. Do you know what an unanswered call looks like to a hacker trying random ports on a system? It looks like that port is not even open. It looks like there is nothing there.
So here we are. Network security means total data lock down with the exception of a WireGuard VPN. Any other VPN will tell your hacker that it’s there. Not WireGuard. I have a guide on how to setup WireGuard on your home server, so be sure to check it out and use it. Access to your home network will not be as straight forward as simply entering a URL in an address bar, but you will have peace of mind knowing your data is protected. Of course this won’t help you if you straight up download malware from the Internet and run it, but it will keep hackers away.
And also consider this. Your data is tightly locked at home while you are on the road with your mobile phone configured for WireGuard and you don’t have to turn on the VPN if you don’t need it. Meaning, again you have more control: if you don’t need data from home, keep the VPN off which will add even more security because there will be no permanent connection to your home. I like this feature. It adds to the peace of mind and gives me the opportunity to fully disconnect from my home network and connect to it only when I need something. I hope you learned something new by reading this and as always, use the comments to keep in touch and see you in the next article!
