Saturday, February 09, 2019

Synology NAS and security risks of enabling notifications

I use a Synology NAS to backup our two MacBooks. I’ve been ignoring it for 4 years, but a recent hardware failure made me look into it.

I found a number of packages installed and/or running that I’d not updated and mostly didn’t need. So I removed all those and I created a reminder to check the NAS quarterly. I also realized I hadn’t gotten monthly status reports for a long time — for years really (if ever)

To enable Synology email status reports you have to configure Notifications. Old-school SMTP is rarely available now, so I experimented with the Gmail option. I got this:

Synologygmail

Oookaaay … that’s an interesting range of permissions. Synology is a Chinese corporation, so this effectively gives Xi the ability to harvest my email. Instead I created a synology user on one of my domain based Google Suites and enabled access there then forwarded to my email.

Interestingly my old settings suggested I had gone down the Gmail road at one point. I wonder what I was thinking, in my 2015 post I commented “Synology is a very Chinese product — including off-key English syntax. I wouldn’t install it in a US government facility.” Maybe I started the setup and then stopped?

2 comments:

Martin said...

You should never give an app or a device full access to your personal e-mail account just for sending out notifications. Just use a simple old-school mail account. They are usually included even in the cheapest hosting plans. Another option is to use an additional free mail account, even Gmail …

I have a dedicated old-school mail account for device notifications. In addition, I use plus recipient e-mail addresses to distinguish between devices – if possible, some developers have still not gotten the, ehmmm, message that e-mail addresses can contain plus characters.

It is of course a - literal - plus if a device asks for an actual e-mail account. More 'modern' devices send out notifications through their own cloud backend. That is still not mandatory with Synology devices.

It is also a good idea to enable only absolutely necessary packages. Synolosy's softquare quality outside the firmware and some core packages is doubtful. Many third-party packages are clearly outdated. Exposing any NAS to the Internet certainly takes a lot of courage.

stevechen said...

Synology is a company based in Taiwan. Xi has no reach (at least for now and the foreseeable future). So you can rest a little easier.