3

Consider this scenario:

My parents* have a Fritzbox router, probably 10 years old, which offers to attach a USB drive and set it up as a NAS, which I have done for them, so far, only with internal (intranet) access, to put files on shared between their devices, watching films on their TV, etc.

Sometimes, the need arises to transfer a larger file from where I live to them, and I have used upload sites for that in the past, but that's annoying with advertising, logging in, etc.

I remember that the Fritzbox offers to set up an account where you have external network access to a folder on the USB drive. This would seem far more convenient and faster.

But I'm not a network expert and don't feel confident to judge whether it's wise w.r.t. security.

Does doing this pose a realistic security concern? Or only, if certain things are (not) done - can it be made reasonably slim? E.g. say the Fritzbox offers access via username + password: if both fields use the largest possible number of characters, both generated randomly, would that be a good idea?

* who are not very computer affine - they never could fix stuff when anything goes nuts.

Albin
  • 9,307
  • 11
  • 50
  • 89
user1847129
  • 133
  • 1
  • 5
  • What about Dropbox, etc? – RonJohn Apr 07 '23 at 02:18
  • 1
    Adding to @RonJohn's comment, there are various reputable cloud storage services like Microsoft OneDrive, Google Drive, etc. that makes sharing files easy and accessible. Most of the time those services are equally convenient for both sides. – iBug Apr 07 '23 at 06:01
  • @iBug - yes, convenient, aren't they. They do have "a reputation", also true. And I want nothing to do with them where I can help it. – user1847129 Apr 07 '23 at 10:33

2 Answers2

7

Does doing this pose a realistic security concern? Or only, if certain things are (not) done - can it be made reasonably slim? E.g. say the Fritzbox offers access via username + password: if both fields use the largest possible number of characters, both generated randomly, would that be a good idea?

Increasing password length is only useful up to a certain point. Usually the attacker is remote – they can't get a password hash to throw at GPUs (even assuming they had specific interest in your NAS to make it worth the GPU time), they're only doing individual attempts over the network. Even assuming they can make 10k guesses per second (which you would notice), just a 10-character random alphanumeric password already takes some 5000 years to guess. Make it 20 characters if you want but don't feel the need to go absolutely overkill.

(Assuming that the software does not just chop off all but the first 8 characters of the password, making the rest of the 100-character-long password effectively useless. This has been seen in the wild.)

But the actual problems with appliances (and exposed services in general) are with pre-authentication vulnerabilities, i.e. those that do not involve guessing a password at all, such as accessing an endpoint that doesn't require auth, or discovering a "developer backdoor" password. There have been such attacks against Synology devices, against WD devices, against QNAP devices. (It's the same reason why Windows is considered "risky" to expose – not so much because of weak passwords, mostly because of its extensive history of pre-auth vulnerabilities.)

On the other hand, if all remote access goes through the manufacturer's "cloud" service (i.e. if you're not actually allowing direct access to your router/NAS), then it's a bit less of an issue, leaving mostly just password-guessing.

Still, your router seems old enough that it no longer receives firmware updates, so be sure to search for it in e.g. CVE databases to check whether it has any known vulnerabilities that are going to stay unpatched forever.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
1

As long as you choose a reasonably complex password (as you describe) you should be fine. To minimize security risks make sure that updates are done regularly, and don't allow any unnecessary services from the Fritzbox to be accessible from the Internet. This must include other precautions like backups etc. (which should also be kept offline in case there is a breach in security). Make sure that your model is still supported by the manufacturer and updates are still provided.

Although there have been issues with the Fritzbox in the past the above precautions should make it relatively safe to use. Just keep in mind that Fritzbox is an end-consumer all-in-one product, so it has limits when it comes to its security features (like firewall etc.).

Albin
  • 9,307
  • 11
  • 50
  • 89
  • if the account is 100% local and does not rely on any webservices from the manufacturer/service provider, then you are right, device security principals will likely be effective in protecting your information. If however you go on to Fritz website (or Ubiquiti's or netgear's) to create that account, then the security is no longer in your control, and if they have a breach or APT incident, the attackers may be able to access your account using the manufacturers own tools and services. the same is true if you use reverse-tunneling tools like Synology's or Wester Digitals. WD got hacked last week – Frank Thomas Apr 06 '23 at 20:43
  • _"To minimize security risks make sure that updates are done regularly"_ - It's a 10 years old router and manufacturers usually can't even do a half-decent job keeping their current models secure. This one probably didn't receive any updates in years. – gronostaj Apr 07 '23 at 08:44
  • @gronostaj AVM/Fritzbox has a very good reputation for security updates (they are the goto brand for many enthusiasts in North West Europe and some of the better ISP's use them as ISP provided router as well) but 10 years old is just too much... – Tonny Apr 07 '23 at 13:31