Researchers from Dell SecureWorks reported in June that a hacker made over US$600,000 by hacking into Synology NAS devices and using them to mine Dogecoin, a type of cryptocurrency. More recently, some Synology NAS device owners reported that their systems had been infected by a file-encrypting malware program called SynoLocker.
By compromising a NAS device an attacker could also hijack traffic from other devices on the same network by using techniques like ARP spoofing, Holcomb said.
A big concern is that many NAS vendors use the same code base for their high-end and low-end devices, the researcher said. That means the same vulnerabilities in a low-cost NAS device designed for home use could exist in a much more expensive NAS system designed for enterprise environments.
Paying more money for a device does not mean it has better security, Holcomb warned.
Independent Security Evaluators has partnered with the Electronic Frontier Foundation to organize a SOHO router hacking contest at the DefCon security conference later this week, primarily to raise awareness about the poor security state of such devices. Holcomb's new research suggests other embedded devices fare even worse.