Explore a detailed security research presentation from DEF CON 31 that reveals critical vulnerabilities in network-attached storage (NAS) devices and their cloud connectivity features. Learn how researchers discovered and exploited authentication weaknesses in both Western Digital and Synology NAS systems during Pwn2Own Toronto 2022, demonstrating how hardware identifiers used for cloud authentication can be manipulated for device impersonation and phishing attacks. Dive deep into the technical architecture of cloud-based NAS systems, understanding the pairing mechanisms, and discover how certificate transparency logs can be leveraged to enumerate and compromise edge devices. Understand the methods used to intercept cloud proxy authentication tokens, enabling unauthorized access to stored files, data manipulation, and remote code execution capabilities that bypass NAT/Firewall protections.
Overview
Syllabus
DEF CON 31 - A Pain in the NAS Exploiting Cloud Connectivity to PWN your NAS - Moshe, Brizinov
Taught by
DEFCONConference