Home Network Attached Storage devices (NAS) are gaining in popularity because of the simplicity they offer to manage ever-growing amounts of personal data. The device's functionality is extending beyond a data store, adding functionality to become the central content management system, multimedia center, network management point and even automation hub for the home and small business. The devices offer accessibility to local and remote users as well as to untrusted users via data shares. These capabilities expose all stored data and the device itself to outside/remote attackers. This talk will demonstrate NEON TOOL; by leveraging multiple vulnerabilities, it allows a remote attacker to gain root access on a popular home NAS device. The talk will cover the problems that XSS, in conjunction with other weaknesses, can create. It will address how these vulnerabilities were uncovered, possible mitigations, how to work responsibly with the vendor to ensure a timely resolution and an investigation into the fixes employed.
Tony Martin (https://www.linkedin.com/in/martintony) Tony is a security architect at Fortune 100 networking company as part of the secure development lifecycle team. He likes green font with a black background and when bored, stuff tends to get broken –ethically. His areas of learning include software and system architecture / design with a flair for trying to build security from the start, implementing and breaking (or trying) applied crypto, and pen testing (hence this talk). Additionally, he loves training / teaching and enabling teams to build secure products. Tony volunteers many places including the Packet Hacking / Wall of Sheep Village.