<p>Network-Attached Storage (NAS) devices are essential in the IoT ecosystem, widely used for enterprise data exchange and personal cloud storage. Managed via web-based interfaces and network file-sharing protocols, they are increasingly integrated with cloud services, making them vulnerable to cyber threats. While previous research has focused on NAS firmware and public port security, the security of NAS third-party packages remains largely unexplored. These packages, integrated through web services and APIs, introduce new attack surfaces. To address this gap, we propose NASScanner, an analysis framework for automated package collection, preprocessing, and security assessment. Using NASScanner, we conducted the first large-scale security measurement of NAS third-party packages, analyzing 1,489 packages—the largest dataset of its kind. Our study examined third-party component security, attack mitigation measures, and sensitive information exposure. Leveraging LLM-powered binary analysis (BinaryAI) performs semantic-level function similarity detection, enabling accurate identification of insecure third-party components. Our findings reveal critical security concerns: ① Extensive vulnerabilities. 689 packages contain 36,162 vulnerabilities linked to 4,167 distinct CVEs. ② Low mitigation implementation. Only 22.3% of packages employ Position Independent Executable for security. ③ Sensitive data exposure. 45.87% of packages risk data leaks, with 23,821 instances of direct exposure on the open internet. Our findings highlight significant security risks in NAS third-party packages and provide valuable insights to enhance NAS device security.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Measuring security posture of NAS third-party packages ecosystem: an empirical analysis

  • Jianbin Xu,
  • Cheng Huang,
  • Yutong Zeng,
  • Jianguo Zhao,
  • Tao Leng,
  • Pin Yang

摘要

Network-Attached Storage (NAS) devices are essential in the IoT ecosystem, widely used for enterprise data exchange and personal cloud storage. Managed via web-based interfaces and network file-sharing protocols, they are increasingly integrated with cloud services, making them vulnerable to cyber threats. While previous research has focused on NAS firmware and public port security, the security of NAS third-party packages remains largely unexplored. These packages, integrated through web services and APIs, introduce new attack surfaces. To address this gap, we propose NASScanner, an analysis framework for automated package collection, preprocessing, and security assessment. Using NASScanner, we conducted the first large-scale security measurement of NAS third-party packages, analyzing 1,489 packages—the largest dataset of its kind. Our study examined third-party component security, attack mitigation measures, and sensitive information exposure. Leveraging LLM-powered binary analysis (BinaryAI) performs semantic-level function similarity detection, enabling accurate identification of insecure third-party components. Our findings reveal critical security concerns: ① Extensive vulnerabilities. 689 packages contain 36,162 vulnerabilities linked to 4,167 distinct CVEs. ② Low mitigation implementation. Only 22.3% of packages employ Position Independent Executable for security. ③ Sensitive data exposure. 45.87% of packages risk data leaks, with 23,821 instances of direct exposure on the open internet. Our findings highlight significant security risks in NAS third-party packages and provide valuable insights to enhance NAS device security.