Team82’s extensive research into network attached storage devices and the ubiquitous OPC UA industrial protocol came to a head recently in Las Vegas with a pair of presentations at Black Hat USA and DEF CON disclosing vulnerabilities in Synology and Western Digital NAS cloud connections and the unveiling of a unique OPC UA exploit framework.
In this episode of the Nexus podcast, researcher Noam Moshe explains how both research initiatives came to be, the implications of each for users, and how the respective ecosystems have been made safer.
Synology and Western Digital, the two biggest NAS vendors, were Team82’s targets. The team’s efforts resulted in uncovering vulnerabilities the way devices authenticated to their respective cloud platforms.
In the Synology research, Team82 exploited issues that allowed them to impersonate a Synology NAS device as it connects to the cloud, and redirect traffic to an attacker-controlled server. An attacker would also be able to access a user’s remote device, steal personal information, and access stored data.
Team82’s Western Digital research, meanwhile, went a step further. The researchers were able to enumerate all devices (1.5 million devices have joined its cloud in the last three months), access them, steal stored information, and remotely execute code.
Both vendors responded with firmware and updates to their cloud authentication to address all of Team82’s disclosures. Western Digital has also banned any of its NAS devices that are not updated from connecting to its cloud.
“We thought maybe we could abuse the cloud somehow to attack the device,” Moshe said. “Because we are leveraging the cloud in our attack, we can attack many devices. For example, in Western Digital’s case we were able to have the ability to compromise basically all cloud-connected devices, giving us access to potentially millions of files and petabytes of data.”
Team82’s multiyear research into OPC UA, the prevalent OT network protocol, has resulted in the disclosure—and patching, or mitigating—of 50-plus vulnerabilities. At Black Hat, the researchers made freely and publicly available a centerpiece tool of their research. Their OPC UA exploit framework contains dozens of vulnerabilities and proof-of-concept exploits that vendors and users can use to test the security of OPC UA products and implementations.
Each of the exploits in the framework exploits specific functions within the OPC UA protocol implementation. Users can send attacks that contain malformed or malicious packets to subsets of OPC UA, for example, that could trigger vulnerabilities when parsed. While not all vendor implementations were vulnerable during our research, Team82 did find exploits impacting OPC UA servers, for example, that were prone to specific classes of vulnerabilities.
Leading vendors in the OPC UA community have already had limited access to the framework through a coalition of vendor representatives on a private Slack channel to share best practices around improving the security of the protocol stack and how it is implemented. These vendors have also used the framework to test their products, and numerous vulnerabilities have been uncovered and addressed since this effort started.
“This framework was part of our research and methodology and toolset all along. We had to develop our own tools to make sure we were able to fully exploit OPC UA products and that way the framework grew naturally,” Moshe explained. “We had to add more capabilities to it in order to fully add more support for more exploits and techniques. We reached a critical mass where we had support for all the different attack concepts we developed.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.