Saturday, March 28, 2009

Buffalo NAS & Internet File Sharing

If you've ever wondered what the people over at Buffalo NAS are thinking about... check out this flash-based video about their awesome web-based file-sharing product:  http://www.buffalo-technology.com/files/LinkSystem_Flash_04.swf.

From their page (here)...
"Buffalo's unique Web Access feature allows LinkStation Live users to share their pictures, music or other files with friends and family through any ordinary Web browser.
You don't need to install any software and neither do those with whom you want to share your files."
2 things wrong with this... 
  1. Isn't this file-sharing?  the illegal kind potentially?
  2. Remote access to your system (NAS) without having to install any software?  I hope they at least do serious authentication and encryption!  And it's a good thing browsers are secure enough to keep your system safe!
"BuffaloNAS is the portal site that is responsible for establishing a peer-to-peer connection between Buffalo NAS (Network Attached Storage) servers, such as the LinkStation Live and external users."
So if I understand this correctly, this portal site run by Buffalo NAS gains access to your computer, and enforces share permissions over the web.  That sounds secure.
"For example, if you have a LinkStation Live at your home or office, you can configure the integrated Web Access server so that certain shares on your system become available to users on the Internet."
What can I say... making it idiot-proof to share your company's documents over the web is a great idea, right?
"The configuration is a simple process. If you have an UPnP enabled router (most all recent routers support UPnP) you don't even need to configure anything on your firewall. All you have to do is enable the Web Access server at your local LinkStation.
Don't forget to set your access permissions in the "Folder Setup" section of the main menu.
Then, you merely need to enter a name (i.e. BaldEagle) and key (i.e. 12345) and wait for the acknowledgement from BuffalNAS.com. If no one has picked your name already, you are set to go."
Someone should conduct a security audit of this service!  How many users out there do you suppose you could guess the name of?  Further - there are no requirements for complexity on the passwords or anything!

There's even a Quick Start page too... to get you going quickly.  My favorite feature is to allow anonymous access to web-shared folders on the NAS.

Interestingly enough, you can simply build a quick script to exploit this service (or at least gather some great intel) in about 1 minute or less.  As an example, I just typed in something obvious such as https://buffalonas.com/steve and got the following screen, first alerting me that the site's SSL certificate wasn't trusted... then once I accepted that prompting me for a username and password.  I stopped there...

I'm sorry - but this is just irrisponsible on Buffalo's part.  Allowing access to a NAS system over the Internet and advertising it as simple as they do - it's just irrisponsible.

12 comments:

dookie said...

Holy hell, that's crazy. Great(depressing) find.

zonky said...

It does exactly what it says on the tin. I'd choose not to Blame Buffalo, but the people buying it, myself.

Rafal said...

@dookie: Glad I could dig it up for you... sounds just like the Westerdn Digital (MioNET) app I blogged about over a year ago...

@zonky: Really. Interesting position! I'd like to understand more on why you blame the person buying it. Feel free to either email me, or post more here...

Anonymous said...

Rafal,

They're not selling this as a 'security product', and it does what it says on the tin- shares files you select over the internet, with either users you create, or anonynously/everyone

You or I probably consider this a bad idea.

Otoh, you could make the same claim about windows XP professional, when the IIS package/component is installed.

It's up to users to select and buy technology that suits them.

obviously, if the software contains *flaws* which may lead to unchoosen access, that's a different ball game.

I'm certainly not suggesting that the general public is well informed, and i'm all for education.

Rafal said...

@Anonymous: I would agree with you to a point... although I think it's up to the vendor (Buffalo Tech in this case) to protect the user by not providing a product that the user can do harm to themselves by using.

To illustrate more clearly... if an auto manufacturer sold a car that, as one of its features, created a situation where immediate harm could come to the driver/passenger - wouldn't we hold the auto manufacturer responsible?

If I sell you a feature that *exposes you to un-necessary threat* isn't it my responsibility?

I understand full well the power of the ignorant user - and I'm not holding the gun manufacturer responsible for a shooting death - I'm simply asking that companies stop marketing/providing HARMFUL TECHNOLOGIES to unknowing/ignorant end-users.

/end of rant

Rafal said...

@dookie - BTW, since I missed it the first time around - thank you for your service (although it's to a different country).

zonky said...

I'm not really sure how this is harmful per se.

If you're saying it's mis-configurable, well, i guess that's valid.

I can mis-configure my apache install on gentoo too, but i don't see any of your posts criticising that?

Mis-configuration is a risk of any device. Unless you're mandating internet devices which only have an on/off button.

The Buffalo line of NAS's are built on embedded Linux running lighttpd or similar, I believe. There might be some questions around package management/security upgrades, which would be of interest.

The NAS does allow SSL, so perhaps the only valid criticism might be around enumerating likely usernames, and a lack of password control.

That said, my apache install doesn't protect against this either.

(You might argue that the enforcement of passwords is a function of the web application layer, and I'd not disagree).

Yes, I wouldn't put my own private files on an internet facing device. I have a vpn to enable remote access - I'd like to see openvpn being used more in these commodity devices for such remote access - see dd-wrt, openwrt etc.

(of course, then you have certifcate generation issues around doing that.....)

So you have what appears to be a reasonably secure device that implements SSL to protect against MITM/password sniffing, and can be configured badly.

I wouldn't want that on my network, nor would you on yours, but other people are prepared to do so.


It's about education.

People need to be able to say.

What are the benefits?

What are the risks?

Blaming buffalo for producing a device that can be mis-configured doesn't really seem all that fair, or productive to me.

Better you ask why people what to have it internet connected.

otoh, perhaps some people use it on their private networks, behind a firewall, and you're just out to spoil their fun.

[Apologies, but i selected anonymous above by mistake.]

zonky said...

One last thing. Looks to me like the buffaloNAS.com is just a directory site- and the username/password you are creating there is a dynamic dns style url remapping feature- i.e it redirects to your current know ip address, as reporting by the buffalo NAS in question.

I can't see any evidence that the central directory maps or sets your NAS server side permissions, etc.

Rafal said...

@zonky - I appreciate the comments and continued conversation.

There has to be a middle ground between functionality people want, and protecting them from their own stupidity (or ignorance).

BTW... http://buffalonas.com/username redirects to the users that are in their system. This means that if someone hooks up to their system I now know their internet address and can try and brute-force their "key" which can't be all that hard. Scary.

zonky said...

http://buffalonas.com/username redirects to the users that are in their system.

Quite possibly, i don't have a device, so i can't authoritatively comment, but to me it looks like it's a typical USER problem, where the USER chooses the same username/password for the directory site, as they do for the user list on their NAS.

To combat that, you would need access from the directory to the NAS to poll usernames, which would cause some of the risks you describe.

Seems to me that the problems with the NAS mentioned are limited, and are down to poor implementation.

Certainly, in a 'boxed' state, they don't appear likely to be a major risk- it's all down to the user....

Anonymous said...

You haven't researched this article at all!

For a start file sharing protocols are not illegal. Yes, it could be used illegally, but that goes for almost anything. I could go to our print room right now, pick up a ream of paper and beat someone to death with it. Should we make paper illegal?

"So if I understand this correctly, this portal site run by Buffalo NAS gains access to your computer, and enforces share permissions over the web."

It does no such thing! Share permissions are configured by the user and enforced by the NAS. All that happens is the storage device connects to buffalonas.com and tells it which IP address it's sitting on. The Buffalonas website simply redirects a connecting browser to the right IP address. No file sharing traffic passes over the buffalonas website and it certainly has no access to the storage device or anything else on your network.

"Interestingly enough, you can simply build a quick script to exploit this service (or at least gather some great intel) in about 1 minute or less. As an example, I just typed in something obvious such as https://buffalonas.com/steve and got the following screen, first alerting me that the site's SSL certificate wasn't trusted... then once I accepted that prompting me for a username and password. I stopped there..."

So what? I could find out the same information from port scanning a network. There are thousands of internet services that implement basic password authentication. How about Gmail/Hotmail/Yahoo etc? Is Google irresponsible?

"I'm simply asking that companies stop marketing/providing HARMFUL TECHNOLOGIES to unknowing/ignorant end-users."

Lets face it, if we all had to cater for only the lowest common denominator we'd get nowhere! If we consider ourselves of average intelligence just remember that half the world's population are dumber than we are.

It boils down to the fact that ANY network connected device is vulnerable to user misconfiguration. There are at least 4 unsecured wireless networks within range of my house. Should we stop selling wireless routers to anyone with an IQ lower than 80?

Anonymous said...

Hi! I liked your post. It brings some serious questions up, like "Should we really trust mear mortals with file security on the Internet?!"

I'm using a Buffalo NAS for a company. Works great. I don't use the buffalonas website to get to it. Nobody's broken into it yet. Can they? Probably. Can they break into an FTP server? Probably. (Someone in China was hacking on a client's FTP site Monday night.)

On that note, how many companies are using FTP without ssl? The Buffalo device is just a file sharing/storage device with web access which uses an https link for the traffic. I'd consider that pretty secure compared to many of the other file sharing solutions I've seen out there.

I use it to transfer files to and from customers and give them each an ID on it with their own password to their own folder. Inside the network I have a master login that gives me SMB access to the shares. On an FYI, this device uses port 9000 for login, and some nice random port (user selectable) for communication with the buffalonas server. Yes, I could be an idiot end user and mis-configure my FTP server too, but that isn't the server manufacturer's fault. And yes there could be a security flaw in the linux distro they're using too. That's my responsibility to check that the firmware is up to date and that Buffalo is correcting issues like this when they occour. (Just like it is my responsibility to update all of my other server/os/application software to patch security holes.)

I believe Buffalo has provided a good solution for simple file sharing.

The only thing that pisses me off about the device is that if you use it with an AD domain security system it shuts off the FTP server! Arrrrgh!

Google+