UGREEN NAS - ARE THEY SAFE?

Are UG green NAS devices safe? It's a

fair question. For the last year, I

think about 14 months, they have had NAS

solutions in the market. They've got

several of them. But I think now after

this amount of time with this many

solutions and a lot of people giving

them very very good credit online, I

think it's only fair that now we talk

about security. Notwithstanding the fact

that this brand hasn't been tested in

terms of a widespread security

vulnerability. What do I mean by that?

They are a brand for example unlike your

Qaps, your terror masters, um even hell

your Synologies out there that have been

tested with things like Solo Locker and

vulnerabilities that have been found

within Linux kernels. They seemingly

have not had a large incident yet

because ultimately it comes down to a

vulnerability being found within Linux

and a lot of the time if it's not

hard-coded credentials of course it can

come down to how the brand handles a

security incident as well. And we still

don't know that about this brand. But

despite that, we do have these systems.

We can have them set up. So, we can find

out what exactly this device talks to

when it's on. And that's what today's

video is about. I set this device up,

the D84300 plus. And again, this can

largely apply to any UG Green Naz, I

think, at least in terms of the software

level. We can't really work out too much

on hardware at this stage. And we set

the device up a little under a week ago.

I set it up with one drive inside the

four bays. I then set up with the latest

generation of their Ugos software and

then I installed every single one of the

applications. Now I installed every

single one of the applications barring a

few third-party ones because again a

vulnerability in the third party

software. Yes, you could point at that

being the brand themselves not going

through the software hardly enough, but

I think that would be slightly

disingenuous to the brand. And also for

now I wanted to focus on just the apps

that they say are theirs and therefore

they have involvement in. And then from

there I did nothing. I left the device

for a little under a week running. So

afterwards thanks to me putting it

through a unified gateway it allowed me

to see the IPs it was talking to and

that's what we did. So let's fast

forward to the results. So it's just shy

of a week later. the UG green has been

set up barely interacted with as you'll

see from the logs in a moment. You can

see the tabs at the top of the screen

and I'll also say that periodically

throughout the video I'm going to appear

here on screen but ultimately there's

going to be a lot of information on

screen. I think my face is just going to

take too much up. So I'm going to flick

back and forth throughout the course of

the video. Um, but right now if we go

into the logs of this system, you can

see here that although I've been logged

into a few times there, some of the

applications that we installed early

doors are on screen there. Overall, it

hasn't really been interacted with at

all since that 6th of August set update

there. And of course, we installed every

single one of those applications. Now,

we make our way into my UniFi system.

And probably the most alarming thing to

anyone that's really used a NAS system

straight away is going to be just how

many times we can see Chinese flags here

on screen. Indeed, for the 9,42

active logs for this system that's taken

place during its operation. There you

can see all manner of IPs going outwards

from the system there. So before we go

any further, we need to highlight a few

things. Number one, what is a DNS? A DNS

or domain naming service is kind of like

the yellow pages here in the UK or just

the address the phone book. It

ultimately means systems being able to

find directories via this recognized

identifier, this IP. Now, because we

installed so many applications when we

initialized the U green NAS, each one of

those presumably has its own DNS lookup

table. It's going to be looking up

things like API servers, metadata

scraping for multimedia applications

there. For cloud synchronization, it's

going to be pinging some of the known

DNS servers in the US and indeed outside

of the US for some of those integrated

APIs. If an app has AI integration

there, do not be surprised if they've

got their own update methodology along

with the system firmware, which in of

themselves are going to have their own

DNS targets as well. Containerized

applications more often than not have a

huge array of different DNS lookups

built into the you know the image that

you're downloading from the

repositories. Uh your SSL certificate

authentication their firmware updates

the app center the application update

all of these have their own list table

that they generally ping back and forth

from. So regardless of whether your NAS

has internet access or not it's not

going to stop the system continuing to

ping them. But what makes this arguably

a much more haphazard undertaking for

most users when they're looking at

tables like this is going to be that

this is a NAS made in China that's also

being sold in China. So they're having

to facilitate a lot of different

markets. Hence why we're seeing a lot of

different regional um IPs appearing in.

It can appear incredibly intimidating

there. Let's break down a little bit

into what we're seeing here. Now, we

could break down into these IPs and go

page after page, but I think a lot of us

would agree that that's a huge number of

pings coming from a system that's been

in operation for less than a week. Yes,

we have to balance that against the full

range of applications and services that

we are running on this system right now,

but still, nonetheless, that is a lot of

them. However, once you break them down,

this is actually the full list of IPs,

at least for the first two or three days

that I was able to correlate. And as you

can see, the majority of them are DNS

related. So, for example, well-known

DNS's, we've got some of the US-based

ones. We've got the Google and Cloudfare

there. And then it breaks down to some

Chinese-based DNS down. We will go into

the good and the bad of that, by the

way, later on in the video. And then

you've got things like NTP. Now, that is

uh a system time check. Again, you get

it with Windows and a lot of mobile

devices as well. And then finally got

things like UG Green's own cloud service

endpoint which is their kind of relay

system going back and forth for the

transmission of information. Generally

that is also being used for some of

those firmware updates. So although I

see it on here and I'm not too concerned

about it, I will say the fact that I

disabled uh remote access when setting

up the device for um uh me to set up

generally if I wanted to play with the

system on the go. I do find the fact

that although I disabled remote access,

I wish there was a way to disable remote

checks via that relay for things like

updates. That said, we can't be naive.

There is a huge number of Chinese

domains there being listed for the DNS

uh calls for each of the different apps

and services. Now, DNS in of itself is

not inherently unsafe. Indeed, this

doesn't restrict it just to China. But

why do people have such a beef with

Chinese IPs appearing on their system

when they're in operation? Well, a lot

of that is to do with government policy

in China with regards to cyber security

law. So, for example, 10 cent, uh, Badu,

stuff like that. They're legally

required to log queries. So if they're

logging those queries, a lot of users

are concerned about Chinese governments

having access to, you know, u details

with regards to your encryption, details

with regards to your login uh specifics,

login policies, um you know, the, you

know, the jurisdiction and access to

that data will change from region to

region. Uh likewise when we look at

these DNSs and we sort of span through

each of these pages one by one and you

do see the same sort of IPs going time

and time again we also have to

acknowledge that the safe access and the

bounce back from that DNS back into your

system is going to be heavily dependent

on the security of the DNS. And although

some of these the bigger players there

are traditionally a lot safer than some

of the small unknowns, we still I think

a lot of users are going to have issues

with the reliance on some of these apps

and services requiring or at least

arriving by default with um IP pings

over there in the east being so frequent

with the more apps that you install.

exploitation of this kind of system for

things like malware or you know command

line injection are pretty slim it has to

be said but not impossible but the same

could be said with any regional IP being

used so this isn't you know unique to

Chinese-based DNS IPs but then don't

overlook the fact that you know it could

apply to a French IP a German IP and of

course DNS spoofing is something to be

concerned with so do keep in mind

depending on the setup you are utilizing

For example, if you uni using a UniFi

gateway like this one, you can, for

example, just select that, go down, and

of course, you can do this with other

systems, but it's a great deal easier on

the UniFi setup to just go ahead and

block that IP at source. So, you can

make sure it can never connect with it.

Yes, it will almost certainly mean that

the connected service that it's

connected to may not function fully, but

for some of you, that may well be

enough. And again, remember if you've

completely severed your NAS on its own

separate VLAN, you've separated it

completely from the rest of internet

connected devices and therefore it has

no internet connected service at all.

Yes, it's still going to keep trying to

ping the IP, but it's not going to have

access to it or access to outside

services to do anything with it. Now, a

very quick interjection here. I'm adding

in post cuz I realized I should have

gone into more detail about DNS and how

it can be abused in order to harm your

system which let's be honest is a real

serious concern. Now when you are having

these DNS lookups which by the way again

are perfectly normal in most NAS

operation how they can be abused for

example is as follows. If you have a

malicious DNS listed or your system has

fake DNS information provided where it

looks like it's going to one thing but

it isn't, that can result in the system

being tricked into, for example,

downloading a firmware update that is

compromised, downloading an exploitative

application update, which can then

perhaps have a backd dooror that allows

people to inject code. Remember, the

majority of the time these days with the

NAS, they're not trying to extract your

data. It takes too much. you'd have to

be in a huge organization for them to be

able to do that and that takes time and

can be easily um caught while it's

happening. Whereas the injection of a

line of code can lead to something like

ransomware where your system can be

zipped up, the original data deleted and

you will be ransomed to get the pass key

back in order to unlock your data. It's

quite common, normally Bitcoin related,

but that's an example of how a bad DNS

or at least a covered or fake DNS

address can be exploited. The same thing

goes for something that's commonly known

as man-in-the-middle attacks where um a

malicious DNS uh can actually be used to

enable a user in the middle to capture

packets of data going in either

direction. Again, that can also be used

for injection. This can be limited

somewhat with the utilization of

something like HTTPS, which will secure

and encrypt the protocol, but it doesn't

completely rule it out. were still

remember what we mentioned earlier on

about the sheer number of DNS uh lookups

that were taking place over those

periods of time. Um well with malicious

DNS or a bulk of malicious DNS's working

together actually sensitive information

can be distributed via smaller packets

across multiple small so high frequency

small volume DNS lookups. Again, not the

most common occurrence, but not

impossible. And just another reason why

verifications of DNS's are pretty

important. There are lots of tools you

can find online, lots of free ones, too,

where you can look up the sanctity of a

DNS. Go for some of the trusted

platforms or at least look up a

particular DNS that you're concerned

about via multiple outlets online to

ensure that one isn't giving you

falsified information. But still,

nonetheless, I think it's important that

although we are talking about DNS

lookups being on the whole a fairly

common thing on your NAS that we should

at the very least take the trouble to uh

to go through where they can be

problematic and also how to verify their

identity. Likewise, as mentioned in

other videos, going into the control

panel and actually changing what can

access what assign your own domain or

going for a dynamic domain naming

service locally to kind of fuzzy things

up. Likewise, you can go into network

settings and security settings on any

NAS, not just UG green, and change a lot

of your security policies, limit the

number of attempts. There are lots of

things you can do and set up to restrict

firewall rules and access rights on your

system to significantly reduce the

attack vector there. Still, nonetheless,

when it comes to the security of a NAS,

I do think it is better and of course,

you know, gateway the NAS, but also

gatewaying the network gateway as well

because that indeed does even better if

the NAS software in question again not

applicable to just you green any NAS

software. If the user interface controls

that you have, you know, implemented do

not get carried down to the hardware

level kind of backend, you know,

straight onto the PCB and the

controllers and chips, it's better to

assign a lot of these controls. Very

early doors on the network gateway. Now,

I do also think it's worth highlighting

that this list of IPs we can see here on

the bottom is not, you know, limited to

just the likes of UG. For example,

here's Sony's Bstation system here. Here

the Synology B station is a relatively

new system. This new B+ model, a very

simplified device or you have very

limited access to control, very limited

access to um restricting who can access

what your security implementation there

and more. The range of controls for IP,

domain, DNS services and more is

incredibly restricted as this is a more

simplified NAS platform and I think this

is quite safe. But nonetheless, when we

go into my UniFi switch, and you can see

the times on the right hand side of the

screen, this is a system I've only had

up and running for, you know,

essentially, we can go back to the very

latest page. I rebooted this device at

9:06 on this new network. It's right now

10:18, so it's a little over an hour.

And in that time, we've already seen the

system access a myriad of uh American,

uh, German, we've seen Japanese, we've

seen Italian, we've seen France, I

believe, on here as well. Now again,

there's no Chinese flags on there, which

I know a lot of you are going to be

pleased to see, but I do think we have

to be at least moderately balanced when

it comes to DNS's and obviously the

rules in which these countries uh these

host DNS server uh bounces taking place

reside and the impact they have. But

having a sheer range of uh 9,000 over

the course of a little under a week when

we're using a BS station here that only

has three applications installed, the

file one, the photos one, and the Plex

one still managed to achieve over 350 in

an hour. Now, if this really is

something that concerns you, you can go

for NAS devices such as uh the HL8 from

45 Drives I've got set up here with its

base hardware. And as you can see, the

list of regions covered in this

particular devices DNS lookups and NTP

pool for time checks are pretty limited

in terms of their scope. For a Canadian

NAS device, it's not surprising uh that

repo.45 drives based in Canada would be

there, but they're predominantly US and

UK based. Again, that's 138 over that

time. Then again, we've got things like

this. This is a Terra Master NAS, the

new F4425.

And this one, as we can see, when we

delve into the history of this device,

this is another one that's only been on

for about an hour, we can see this one

was powered on at 9:27 there. So, less

than an hour indeed. And at boot, we can

see Chinese DNS is getting pinged there.

And this was for the initialization of

the device. Again, it's setting up for

the first time. So, that was first time

boot. And now the system is established

with no applications and services

outside of the base level. We can see

that now there are no Chinese DNS pings

there. Again, as I install more

applications, no doubt there's going to

be different apps and services built

into the app center that have um out of

UK IPs being pinged there for DNS

purposes. But unless you're prepared to

take the time and look into these

individual IPs or use like an AI LLM to

look them up for you, it really is going

to be slightly down to you, the end

user, to monitor on top of this. Bottom

line, do I think UG Green is safe? I do

think UG Green is safe at this time.

They really do. But at the same time, I

think it would be remiss for users that

are installing a device predominantly

created in a Chinese uh regional

environment that's been distributed

outside to not at the very least take

the time to go through their logs and

especially if you're going to use a

server, sorry, a network switch in the

middle that gives you the ability to

really break things down to find out

more. But keep in mind, as you may not

have seen on the screen throughout the

course of this, that a lot of these IPs,

they're not service listed. Even on

UniFi's pretty extensive database, for

example, when we were looking at the

Synology there, pretty much all of them

were easily listed. They were using

recognized publicly listed um DNS um uh

targets there. So, the UniFi system was

very quickly able to pick those up. And

that was something we saw again when we

were looking at the HLA. But coming back

to the UG Green, they just weren't part

of that database. So take the time to

look them up. And again, I recommend

using an AI LLM because you generally

find they find the short lists quite

quickly of a lot of those listed DNS's

to let you know when it is a DNS that's

being ped out. And often if something is

coming back to you, again with firmware

updates and more, letting you know about

it when they are coming from recognized

sources. Once again, if in doubt, block

the hell out of any DNS that you're not

comfortable with. Go into the system,

uninstall application services that you

aren't happy with. Have two-actor

authentication, something that's very,

very difficult to countermand and get

around on a remote access level because

you need a local client with a

constantly a regenerating passcode

there. On top of that, get into your

system. Adapt your security settings.

Make sure, for example, you would have

enhanced DOS protection in place for

when you've got traffic coming the other

way that may be being taken advantage of

DNS spoofing in order to garner

information about your system to try and

reverse engineer an access point.

Finally, the majority of NAS devices

these days integrate firewall control

inside. Remember I mentioned earlier on

about in the NAS um sorry, the network

monitoring software that you choose to

use. Again, be that your PF senses, your

OpenWT route, uh, OpenWRT routers there,

or if you're using a UniFi route or

switch in the middle, again, you can

block them, but make sure you go into

the firewall settings of your NAS. If

you want to be particularly diligent and

if you find, for example, an IP that you

are not happy with. So, example, that

one there, you go in, set up your

firewall, and block a create a rule

where that is not going to have that

level of access via that very specific

port. You can assign those IPs quite

easily. It is worth doing that if you

want to be particularly cautious.

Nothing about what I have seen today

makes me think that UG Greens NAS isn't

safe. I will say it's going to require

more hands-on for those that are

particularly concerned than some of the

other brands I've seen out there. But as

I've shown you with examples from other

NAS brands, it what we're seeing here is

not wholly unusual for a device designed

and you know originally created in

another country. What could UG Green do

to change this? I would say definitely

they should go into their software

services and change some of this DNS

lookup on some of those applications and

services to be better fit into the

regions they are distributing within.

Certainly on top of that, I do think

that their brand could stand to be a

little bit clearer about the ability to

change some of the DNS protocol in some

of these apps. Something you can do, by

the way, with some of the containerized

applications a great deal easily. But

it's unfortunately that line between

creating one-click installation of

applications and applications and

services where you get to tweak and

tinker them like you can with containers

to have things best suit your needs. But

again, I wish their log system just gave

me a little bit more in terms of being

able to block uh block individual IPs.

Thank you so much for watching. I'm

going to be frank. This is an incredibly

dull subject to discuss. It's very, very

important. But it's really, really

difficult to make videos like this.

Interesting. That's the realistic truth

of it. People that care about this

stuff, the people that are prepared to

put in the time and effort and figure

out what they should and shouldn't be

doing or what they should and should not

be concerned with takes time. much like

making a video like this, which

unfortunately is probably not going to

get a huge number of views, but I think

it's important enough that it's

something we could discuss perhaps with

other NAS brands to get a good

understanding of the status quo if we

install all of their base applications

there. If that's something you want to

see, let me know in the comments.

Lastly, if you found this video helpful

and if you're looking to get any of the

devices or some of the recommended

software that I talked about today, link

below will be links that help you get

hold of these, whether it is hardware or

in some cases software. Using those

links result in a small commission

coming to me and Eddie here at NAS

Compares. It's just us doing this and

allows us to keep doing what we do. And

as I say, a video like this isn't going

to be that popular and therefore every

little bit helps. Thank you so much for

watching and I'll see you next