3

Consider this scenario:

My parents* have a Fritzbox router, probably 10 years old, which offers to attach a USB drive and set it up as a NAS, which I have done for them, so far, only with internal (intranet) access, to put files on shared between their devices, watching films on their TV, etc.

Sometimes, the need arises to transfer a larger file from where I live to them, and I have used upload sites for that in the past, but that's annoying with advertising, logging in, etc.

I remember that the Fritzbox offers to set up an account where you have external network access to a folder on the USB drive. This would seem far more convenient and faster.

But I'm not a network expert and don't feel confident to judge whether it's wise w.r.t. security.

Does doing this pose a realistic security concern? Or only, if certain things are (not) done - can it be made reasonably slim? E.g. say the Fritzbox offers access via username + password: if both fields use the largest possible number of characters, both generated randomly, would that be a good idea?

* who are not very computer affine - they never could fix stuff when anything goes nuts.

Albin
  • 11,950
user1847129
  • 151

2 Answers2

7

Does doing this pose a realistic security concern? Or only, if certain things are (not) done - can it be made reasonably slim? E.g. say the Fritzbox offers access via username + password: if both fields use the largest possible number of characters, both generated randomly, would that be a good idea?

Increasing password length is only useful up to a certain point. Usually the attacker is remote – they can't get a password hash to throw at GPUs (even assuming they had specific interest in your NAS to make it worth the GPU time), they're only doing individual attempts over the network. Even assuming they can make 10k guesses per second (which you would notice), just a 10-character random alphanumeric password already takes some 5000 years to guess. Make it 20 characters if you want but don't feel the need to go absolutely overkill.

(Assuming that the software does not just chop off all but the first 8 characters of the password, making the rest of the 100-character-long password effectively useless. This has been seen in the wild.)

But the actual problems with appliances (and exposed services in general) are with pre-authentication vulnerabilities, i.e. those that do not involve guessing a password at all, such as accessing an endpoint that doesn't require auth, or discovering a "developer backdoor" password. There have been such attacks against Synology devices, against WD devices, against QNAP devices. (It's the same reason why Windows is considered "risky" to expose – not so much because of weak passwords, mostly because of its extensive history of pre-auth vulnerabilities.)

On the other hand, if all remote access goes through the manufacturer's "cloud" service (i.e. if you're not actually allowing direct access to your router/NAS), then it's a bit less of an issue, leaving mostly just password-guessing.

Still, your router seems old enough that it no longer receives firmware updates, so be sure to search for it in e.g. CVE databases to check whether it has any known vulnerabilities that are going to stay unpatched forever.

grawity
  • 501,077
1

As long as you choose a reasonably complex password (as you describe) you should be fine. To minimize security risks make sure that updates are done regularly, and don't allow any unnecessary services from the Fritzbox to be accessible from the Internet. This must include other precautions like backups etc. (which should also be kept offline in case there is a breach in security). Make sure that your model is still supported by the manufacturer and updates are still provided.

Although there have been issues with the Fritzbox in the past the above precautions should make it relatively safe to use. Just keep in mind that Fritzbox is an end-consumer all-in-one product, so it has limits when it comes to its security features (like firewall etc.).

Albin
  • 11,950