

* The issues researchers reported to Synology (Session Fixation and the ability to Query Existence of Arbitrary Files) were included in this table.

** Though the Drobo does not include a web application by default, ISE include vulnerabilities that appear in its optional web application here.



Internet of Things ( IoT ) devices have become more prevalent over the last few years, but they are often susceptible to hackers. Researchers recently discovered 125 security vulnerabilities on 13 NAS and routers. It is believed that these vulnerabilities are far-reaching and likely affect many similar devices.Independent Security Evaluators ( ISE ) researchers started their investigation in 2013. Their first round of research focused on NAS and routers that were intended for home office use. Their second round titled “SOHOpelessly Broken 2.0” assess security vulnerabilities in a wide range of device. They chose 13 devices that “ranged from devices designed for general consumers to high-end devices designed for enterprise use.” They tested the following devices:All of the devices had been updated with the latest firmware and were then tested with their “out-of-the-box configurations”. The researchers were able to gain remote root-level access to nearly every device on the list. The Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and the Zioncom TOTOLINK A3002RU were exploited without any authentication. Every tested device included at least one web application vulnerability. Some of the more popular vulnerabilities included file upload path traversal and cross-site scripting (XSS).It is also important to note that only a handful of companies have acknowledged the researchers’ findings. Zionconm, Drobo, and Buffalo have not responded to ISE. Thankfully the other companies have either patched the security issues or are working toward improving them in the future. The researcher also hope that the manufacturers will start performing more rigorous assessments. Many of the vulnerabilities would have been discovered with some basic testing or through more fully developed bug bounty programs. D-Link was recently sued by the Federal Trade Commission ( FTC ) over routers and IP cameras security issues. The Taiwanese corporation had been accused of leaving their customers vulnerable to attackers. D-Link and the FTC came to a settlement this summer and D-Link has promised to follow a ten year security oversight program that will be managed by a third-party.