Press Releases

Be Careful What You Share

Numerous Vulnerabilities Found in Storage Devices

OULU, Finland and SARATOGA, California - 26 April 2012

Codenomicon, the leading vendor of proactive security solutions, warns consumers about the poor stability of Network-Attached Storage (NAS) units. Based on Codenomicon's robustness test results using smart model-based fuzzing tools, all of the tested units failed in multiple critical communication protocols.

"It is alarming that not a single one of the devices could clear the tests", says Ari Takanen, CTO of Codenomicon. "Similar protocols are used not only in consumer NAS units, but also in enterprise-level data storage devices. The information security as it stands is poor."

Embedded devices are everywhere. Connected to the Internet, they use protocols to transfer data. Bugs in software implementing those protocols make the devices vulnerable, and potentially exploitable. Researchers at Codenomicon Labs have been testing embedded devices. However, Codenomicon will not disclose any details of the vulnerabilities publicly in order to protect the users of those devices.

This research is part of a series of publications in testing embedded devices used by home consumers. Codenomicon Labs took five different consumer-grade NAS units from well-known manufacturers. Lab researchers fuzzed them thoroughly, and all of them failed. Discussion on the results and their implications can be found in the white paper.

What are NAS units?
Network-attached storage units (or NAS for short) have been becoming more and more ubiquitous due to the convenient, simple and efficient way of sharing and storing data, often requiring nothing more than connectivity to a LAN or the Internet. These features, however, expose them to a multitude of threats that menace any networked devices.

What is Fuzzing?
Fuzzing is a black-box testing technique in which malformed inputs are delivered to the system under test while its behavior is monitored. If the target system crashes or fails in any other way, a software bug is found. The main benefit of fuzzing is its unparalleled ability to find unknown zero-day vulnerabilities.

More Information:

About Codenomicon Ltd

Spun-out of Finland's Oulu University in 2001 to provide software security testing solutions to developers and security analysts, Codenomicon's customers include Alcatel-Lucent, AT&T, Cisco Systems, Microsoft, Motorola, Google, Verizon, NSN, Huawei, and T-Systems among many others. Companies rely on Codenomicon's solutions to mitigate threats like Denial of Service (DoS) situations and data leakage, which could increase liability, damage business reputation, and cripple sales. Codenomicon is a member of the SDL Pro Network. For more information, go to www.codenomicon.com.