 Tommy here from warning systems and a lot of people have asked me about QNAP and I don't care for their devices because of their security posture This is the first piece of information I start looking at when I want to evaluate a product if I decide I like something I really start with the security because it can have some really great features But if the company that produces that product and maintains that product has really poor Security posture that kind of rules them out. They may be like I really want to use this It's a really great thing. It has exactly the features. I want it does this fast as I want It's at the price point I want But it also comes with a ton of vulnerabilities and a company that doesn't really care about fixing them That's why I start with security before I get too excited about those secure features So let's talk about QNAP today because they're in the news again here in January 22 But they've been in a news and a pass for the same reason and that same reason is ransomware because of poor security QNAP confirms QLocker ransomware uses HBS backdoor account a little more technical details are right here It is a hard-coded session ID We never like when the words hard-coded are in a CVE report because it never ends well Any company that thinks that they can hide something as such as a hard-coded session ID Credential of some sort and hoping no one else were to discover it is in for some news It happens all the time. These are not the type of problems. You want to see with your devices now? Let's talk about how they handle security at QNAP and this is an easy example Here's a security researcher that found the problem with their software and found a way to exploit it This is just QNAP ignoring security researchers now granted I will give them a little bit of benefit out that yes They get thrown probably quite a few people contacting them what they think might be security flaw but this is an actual company doing this and Pen tests are expensive so when you have a security researcher taking the time to look at your product and then Explaining how it's broken, but then ignoring them You're not really given anyone the warm fuzzy feeling that you are on top of your security game And the timeline tells the story here October 12th full disclosure report to QNAP I'll leave a link to the actual exploit in the details of it But the October 23rd sent another email October 31st automatic reply from QNAP support with a ticket January 26 Notification that you're running out of your grace period before this gets published January 26 QNAP helped us Hey, we confirmed the problem still in progress February 12th grace period it ended and the security researcher still waited till March 31st to initially post a blog post It's important to think about that March 31st date to say that's when they finally fixed it on April 16 That's a long dwell period to be told about a flaw in your system and not deal with it now Let's get all the way over to here and QNAP force installs update after deadbolt ransomware hits 3,600 devices and this is a little crazy because the threat actors who are doing this have a couple different approaches one They're hitting the people and charging them a small ransom. They're offering a master decryption key to QNAP QNAP also decided to force update a bunch of systems and even if the updates are turned off is what it sounds like So forced updates come too late because well who cares about force updates on a system It's already been ransomware and then the clarification of whether or not the update actually fixes the exploit I'm not a hundred percent clear based on reading through this and According to bleeping computer their updates don't a hundred percent completely address this It's just not a hundred percent address in here Also of note is the fact that with these QNAP systems the threat actors are also offering to sell How they got in to QNAP for a fee So there's a lot to unpack in that article the forced update the fact that the update is not Apparently fixing the system or is it I wasn't sure neither is bleeping computer because it's an older update But either way none of this gives me the confidence in their QNAP product Platform that they care about security that they're on top of it that they do anything more than write software to push product as opposed to Writing good software to keep a good reputation, but who knows they could change in the future this bad publicity Does one of two things forces companies to up their marketing game So they can sell more product and hopefully ignore security issues or actually stop and address your security issues Which I'm hoping maybe they do you know companies can turn around now I'll admit there's probably plenty of people who also are end-users buying things like synologies and just sticking them open to the internet as well Synology I think has a better track record of Security and updates and that's why you're not seeing Synology in a news or a very popular product I believe they're also much like QNAP bought by many end users who don't really think about much more than Reading article on how to open up some ports and forwarding those ports And this is why you have to think so much about security and the security posture of a company Now the final notes will be yes You shouldn't be exposing things you can say that but the fact that these companies all offer write-ups on The convenience of exposing the services so you can access these devices outside of your home There's always going to be a lot of people who don't go Yeah, I'll just put a VPN on this because that would reduce my threat surface. That's just not something the average End-user is going to do that uses these devices. That's why security is really important. This is why even for end-users I don't think I would even recommend a QNAP for people who are using this in a larger business Which a lot of people had mentioned that they do at least on my channel and commented Which is why they want to read me to review the product a company that can just force an update which probably means it force rebooted the system and If you're using it as a nice fuzzy target with your VM infrastructure that obviously can cause some very unexpected States of your VM. I don't really like a company that has that ability just to force it as opposed to you doing an update That's another concern that they had that ability to do and like I said, it's detailed out in a bleeping computer article I don't have a QNAP to really dive into it myself So I'm relying on the reporting there But there's enough information and data points to gather to make me not want to use the product And that's kind of my final verdict on here for those of you who will be asking in the future Saying hey, Tom Why not review one of these QNAPs if they make a dramatic change in the security posture? Awesome Maybe I'll take a look at them again, but for now That you've heard all my thoughts on it I'm gonna quit rambling leave your comments down below and head over my forum for a more in-depth discussion. Thanks