English Physical Trojan

Does physical security matter when it comes to IT sec?  Some lazy people will say no, maybe this will change some opinions :

I was called at some regular client's place due to issues with their local Linux server that regularly went unresponsive and the backups weren't happening correctly.  So I went on fixing everything, noticing the NAS' RAID array went awry and the server was rebooting because it went out of disk space since /mnt/* wasn't mounted properly.  As I was leaving, I noticed something new in the server local...a black box linked to the network and the UPS...couldn't be another modem ad I just located the one in use and the building "backbone".  No identification, could be an appliance, an AP, another NAS, ..  So I asked the only employee onsite since when this device was plugged and he had no idea what it was either.

Not good...

No logo...hmm, trying to find the usual ID/power info sticker/engravings and found them under the device with the MAC Address...searching the MAC on the Web and found out it was in the Western Digital range, which is 00:00:C0:00:00:00 - 00:00:C0:FF:FF:FF.

Now that we know what it is...gotta find out some clues about :

  • Who's the owner
  • What's the purpose
  • How is it configured
  • is it actually doing something, or what has been done?

After the employee called the owner, he told me I had the authorization to proceed and even take ownership of the device.  So I went on the router to find out any DHCP leases linked to a WD MAC Address and sure enough, found one and it's IP.  Knowing it's ethernet plugged, I enter the IP in the browser : it's a WD Book 3Tb under the name of an ex-employee.

ALARM, possibilities of malicious intents

So, with Hydra, trying to bruteforce access to network shares  or the webUI admin password, without luck.  I only had access to a public share containing a 6-month old backup of the network drive.  Other listes shares were named after the name of other employees.  Was it an intend to replace the NAS when they had constant power issues?  or was it to access the data from an external location?  or was it to backup and bring home later?

Did a quick network sniffing session and thought it wasn't worth it, with the time I got, so I went on to reset the device and take ownership.  Once it has been done, I had access to the device configuration (the reset just removes the admin password).  Here's what I noted :

  • UPnP enabled
  • The device was connected to WD's cloud service under the username of the ex-employee
  • Files were accessible from the cloud
  • No recent cloud access
  • the "Set admin password" field seems to be limited to 16-char lengths...while the password field on the login itself has no limit
  • Can't set our own SMTP password, mail has to be sent via WD's cloud services

Well..it's a truly awesome device, but its features in combination to an unauthorized physical access to a network (and something badly configured ofc) could cause a breach huge enough for a business bankruptcy.  That can apply to many devices...which reminds me that one of the greatest risks in computer security comes from the inside!

For the record, no logs were enabled and no activity was recently detected and I had to use the device since the old NAS was fubar.  I simply restored factory defaults, wiped the disk, disabled UPnP, disabled cloud services, set proper ACLs, a very good admin password and finally set adapted firewall rules.