is Quick Connect Secure for Synology?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

I think the key is to remember that security is not absolute, so when we say something is secure, we mean that it is sufficiently secure vis-a-vis what is being protected, the safeguards implemented, potential vulnerabilities, and the threats that we're considering. In that sense, spacerex's analysis sounds reasonable and I agree with it.

On the other hand, there are folks who want to open ports for this and that service that they haven't really thought about concerning security, maybe their notion of a strong password is "passw0rd123", maybe they don't have failed login blocking enabled, no 2FA... at some point it's just easier for their own good to tell them to setup and use a remote access VPN.

👍︎︎ 3 👤︎︎ u/charisbee 📅︎︎ Feb 01 2023 🗫︎ replies

What do you all think? I keep getting told that quick connect is insecure, but this was interesting

👍︎︎ 1 👤︎︎ u/Leading_Release_4344 📅︎︎ Feb 01 2023 🗫︎ replies

The video is fairly balanced and brings reasonable points. Synology has certainly offered better protection in the past than other brands like QNAP.

But every computing device has security vulnerabilities, they just have not been discovered yet. The list of known (and fixed) vulnerabilities proves that such issues have existed in the past:

https://stack.watch/product/synology/diskstation-manager/

The question is how many unknown/unfixed vulnerabilities are known by the Bad Guys. You can never rule out that there will be a large scale zero day attack some day on synology NAS. A strong password and 2FA won’t help you in such a case.

👍︎︎ 1 👤︎︎ u/gadget-freak 📅︎︎ Feb 02 2023 🗫︎ replies

Captions

all right how's it going y'all today I'm trying to answer a really commonly asked question is is synology's Quick Connect secure and so that's going to be the purpose of this video and to start off we're actually going to have to kind of go a quick overview of what Quick Connect is so quick connect is essentially a really easy way to find your Synology wherever you are it is designed to work and kind of be dummy proof you essentially just set up a quick connect and Synology will handle the rest no matter where you are if you're at your local network if you're remote it will find a way to connect you to your Nas and it's also going to do a really good job of pretty much making sure you're on the fastest possible connection to your Nas so the way you access it is two different ways first off it's kind of default whenever you're setting up a Nas for the first time it says hey if you want to set up quick connect on there and then after the fact you find it in control panel under external access so this right here is Quick Connect and as I said earlier it's got a lot of great benefits you can see right here I'm using it to directly connect to the Nas and even better it realized I was on the same network as the Nas and so this 10.30.0.106 means that I'm actually directly talking to it locally the other thing that it's done is if we click on it right here we can see that it has a fully signed SSL certificate another great benefit so without us doing anything other than hitting a single button Synology handled all of this for us the Quick Connect handles all of it so we're not going to get that hey this is an unsecured connection or anything like that it does it all for us but this does come with some security implications to be a one word answer is Quick Connect secure I would say yes but it is less secure than no port forwarding at all so whenever you enable Quick Connect you're pretty much always allowing external access to your Nas that is just part of it because Quick Connect allows you to access the nas whenever you are on the road without having set up a VPN or anything like that you don't even actually have to set up port forwarding so quick connect always gives you external access to that that's really what it's used for and that in and of itself comes with some security implications effectively it will always be less secure than having zero external access to that that's just the truth of it so by enabling Quick Connect versus having absolutely zero external access to your Nas you're really opening up two possible avenues that you could possibly be hacked I'm not saying these are necessarily likely but these are the two avenues that really opened up the first is the most simple and it's actually the only one that's ever been exploited on a Synology and that is Brute Force password guessing so quick connect allows your Nas to be open to the internet means that now people outside your local network can start seeing the Nas and start interacting with it basically they get to the login page so essentially if we go in and we just sign out here essentially if somebody goes through and does a Brute Force lookups and figures out what your quick connect is they can get to this page right here Synology does do a lot of stuff in the back end trying to limit this and it's actually surprisingly effective they do a really good job of limiting it overall but obviously they can't do everything but they can get to this page assuming they know your quick connect ID then they can start password guessing that is Avenue one that people could start attacking your Nas and possibly a revenue for hacking and that right there is actually the only time synologies actually have been hacked is from people opening them up to the Internet and then having the username of admin and the password of admin which was the old default username and password back in I think DSM-5 they then would update and never change the username and password and so that would be on the internet they would open it up online and then people were guessing that and that's really the most common Avenue and also the easiest one to defeat so I'm just going to go ahead and sign back in there and as long as you have a somewhat strong password and a username that's not admin it's pretty easy to protect yourself from this you just go into control panel security protection and by default you have this right here by forcing people to have only 10 login tips within five minutes it would take a adversary a very very long time even if they knew your username to be able to guess your password assuming it's more than like six characters it is just one of those things where unless it's a dumb simple password it's just not going to happen it would take multiple years and years and years of straight attacking for that to happen and so that is why you always want to make sure to have autoblock enabled just to shut that Avenue down the other thing that can also happen is if you've got users and one of them accidentally like shares it online or something there is a higher chance there but there's a lot that the attacker would have to know for that to happen they'd have to know what where this is they have to know what the Quick Connect address is they'd have to know about Synology they have to know what this user does they'd have to have a lot more information than just some dummy in adversary country just brute forcing their way into everything and it's really that's a targeted attack that's pretty unlikely and more likely than not your company's not large enough to really have that though in larger companies make sure you have things like two-factor authentication because that can protect from that very well so that that's the realistic thing that you need to worry about and you can protect yourself from the second piece is something you can really not protect yourself from and that is the unknown of Synology so Synology has shown itself to be a very secure company they put money in they put their money where their mouth is if you report a vulnerability Synology they have a bounty program so you can go in here into Synology and you can see down here there's this bounty program and if you find a vulnerability within Synology DSM they will pay you up to twenty thousand dollars they clearly have a lot of incentive here and they are clearly doing stuff that is attempting to make their services as secure as possible and so that's a really good sign overall sonology from their track record has never actually been directly attacked I've got no knowledge of a known exploit ever being used other than password guessing I there have been times where there's a vulnerability announced but it is patched very quickly and I do not know of a single time that somebody's actually hacked into a NASA was not just like on a control server as a proof of exploit Synology clearly spent a lot of time and puts their money where their mouth is and they really do a good job of security that being said there's still the huge unknown where Anything could happen and to be fair the same thing can happen with Google drive or Dropbox but those tend to be larger companies and tend to be a little bit more secure because they've got full access to things but with Synology DSM there is always the inherent unknown that one day there is a bug found on that sign-in page that allows somebody to get super admin access immediately without having to do anything it's very unlikely the the most likely cases it would actually be a user could authenticate over their current capability but having Quick Connect open and close isn't really going to help you from that because well if your user is attacking you you've got bigger problems but that is still always an unknown and so you have to question that for businesses who can completely go off of Quick Connect don't need to share files with anybody else or anything like that and already have a good VPN setup if it's working for you keep it there's no reason to enable it unless you have it but for the vast majority of people I would say overall Quick Connect is pretty secure and overall pretty safe I'm going to touch on how it works really quickly now just to kind of give an overview of it and so Synology has this great white paper that you can download the sonology Quick Connect white paper and it pretty much talks about how quick connect works so quick connect works with three different attempts to join a request so first off it's going to check and see if you're on the local network of the nas if it does that's when you get this address up here you see that local IP address right there that means hey I found that this is local I'm going to talk to it locally to get the fastest possible speeds and then if you're not on the local network it's then going to try the public IP address of your house it's going to say well maybe if he's not on the land well maybe he's opening up the ports properly and I can access it there and so if you have it will just actually do a direct connection and not go through any of Synology servers and then after that I'm actually going to switch diagrams because this one helps a little bit more it's going to try two things it's going to kind it's going to try to do what's called a hole punch this is a hole punch that essentially has the nas ask your firewall hey can I open up this port for this specific user and then use that and so that the way of hole punch works is your computer asks the server hey I'd like to talk to the nas and then the server comes down and talks to the NASA and says hey ask your router to open up this port and for this client then if that happens from there the client is able to directly communicate in the same sense of opening up a port directly with the nas it's got a virtual tunnel there and none of the data has to go through the Synology relay servers anymore it is all Direct Connect pretty much the same speed as if the port was open publicly and so this is awesome if it does work but if it doesn't work and in my case I've not valued it works with a lot of routers it has to go through what's called a relay server a relay server still allows you to access your Nas and still use technology driving everything but it requires going through one of Synology servers the nice thing is it's completely encrypted with SSL so you really don't have to worry about it too much in the same way that it's just kind of passing through another hop of the internet it just happens to hop through a hop of the Synology relay server it is fully encrypted with SSL so Synology cannot decrypt any of this traffic but it does go through synology's relay servers which mean that you do get a slow down penalty and especially in non-us countries like it's a lot slower because essentially Synology has to foot this bill and so they're not going to give you one gig up and down through there because that'll cost them a lot of money and so it's pretty limited for simple photo sharing it's fine but for anything else it can be quite slow and so that's how quick connect works all that being said all that advanced science behind it it's essentially a way to access the nas outside your house and so really what you're having to do here is you're having to ask yourself is Synology DSM secure personally for me I have Quick Connect enabled whenever I share files with clients I use Quick Connect because it's an easy way for me to guarantee that it works it's also me putting my money where my mouth is I use Quick Connect to share files I have read through and I've looked at as much security stuff I've seen from Synology and they've got a very good track record but that's really what you have to go off of as long as you have secure passwords enabling Quick Connect is really just going to be you giving yourself the vulnerability that one day Synology could be hacked so if you do have Quick Connect enabled the one thing that can really help you is going to control panel and under updates you want to set up probably your update settings to be this essentially automatically install important updates security vulnerabilities and that will make you feel a lot better the other thing is you probably want to at least like kind of keep an ear on the ground maybe subscribe on Reddit to our Synology or something just where if anything crazy happens with Synology these bugs don't just all of a sudden hit everybody at the exact same time it tends to be oh hey a few people start reporting it and you have a while before it would probably hit your Nas because it tends to be just like a small group of people who are going one after the other after the other so it's not a bad idea to just keep your eye on the ground the other thing you can do is make a really long Quick Connect address if you've got a 15 character that'd be really long and really annoying Quick Connect address they're not going to get to you for a very very very long time because there's no just single list Synology has done a great job of obscuring Quick Connect addresses so there's you know just single list that's publicly accessible at least not one that I've been able to grab that will actually tell you who what all the Quick Connect addresses are so if you have a very long Quick Connect address it's kind of in a sense like a password they first got to figure out what that is with limited retries actually which is awesome before they're able to even see your Nas so information Quick Connect is something that I believe to be secure enough to use it is not something that is completely bulletproof and always inherently will give you additional risk versus having zero external access to your nasp or access to your Nas through a very secure VPN provider but other than that I believe Quick Connect is secure enough for the vast majority of users obviously for a multi-billion dollar corporations with thousands upon thousands of employees it's probably a good idea to have a better system than that but for the average business Quick Connect has shown itself to be very useful and very simple to administer so I would not lose too much sleep about it just make sure to keep your ass up to date just in case anything ever is discovered that is exploitable all right well that's gonna be it for this tutorial kind of overview go and leave any other questions you got for me in the comments below and if you want to hire me there's a link for that in the description all right have a good one bye [Music] foreign foreign

Info

Channel: SpaceRex

Views: 24,523

Rating: undefined out of 5

Keywords:

Id: s9YguJ1SsTM

Channel Id: undefined

Length: 14min 28sec (868 seconds)

Published: Wed Feb 01 2023