Network-attached storage devices are even more riddled with flaws than routers, though, according to one researcher. Jacob Holcomb, a security analyst at Independent Security Evaluators, led a major study into router vulnerabilities in 2013, and he focused on NAS boxes in his Black Hat talk this year.
“There wasn’t one device that I literally couldn’t take over,” Holcomb said. “At least 50 percent of them can be exploited without authentication.” By compromising a NAS device an attacker could also hijack traffic from other devices on the same network, using techniques like ARP spoofing, he said.
Even scarier: While Holcomb says he’d reported all the vulnerabilities to NAS box makers, the ones he demonstrated at the show have yet to be patched. NAS fixes can take months to reach customers, he said.