Whenever a new security vulnerability is found, NAS manufacturers are quick to respond and release patched versions, allowing users to avoid the worst thing for them: Lost data or unwanted intruders. Recently there have been such issues with both SAMBA and OpenSSL and ASUSTOR responded quickly to these with a new ADM update that fixes both of these things. But they didn’t just stop there, they also increased the security for their users by adding a new 2-step authentication function with this core update.
With the 2-step authentication enabled, users will also need to enter a temporary code on top of their username and password in order to log into ADM. ADM 2.6.3 supports two push notification services in Pushbullet and Pushover. Both are available on multiple devices and across different platforms as well as major Web browsers. These two services allow system event notifications to be instantly pushed onto phones, mobile devices or PCs.
“Network security issues have always been present and are impossible to ignore. The chances of having an account password stolen is much greater that many people expect,” said Vincent Tseng, Product Manager at ASUSTOR. “ASUSTOR understands the importance of our users’ data. With regards to data security, we have specifically provided a significant upgrade that offers better protection of our users’ digital assets than ever before.”
It should be noted that this update was released at the end of July, but a lot of users haven’t been aware of this yet. I highly recommend that you update your system to this latest version, even if you don’t want to use the 2-step authentication system.
While the above is a bit older, this here is new as it only happened yesterday. ASUSTOR released the Portal 2.0 app that increases the functionality and options available. The new Portal 2.0 app is now available for all ASUSTOR NAS models with an HDMI port: The 31, 32, 50, 51, 61, 62, and 7 series.
ASUSTOR Portal 2.0 provides users with an entertainment experience similar to digital TV set-top boxes and features the new automatic grouping function that organizes the user’s installed Apps into groupings such as All, Video, and Social which allows users to find the apps they’re looking for faster and with ease. The new version allows 12 icons on the screen at once and fully supports 2K/4K resolutions as well, allowing you to enjoy the full experience of all your content directly on your NAS without the need for other computing devices. Use Kodi multimedia player, Surveillance Center, VirtualBox, Spotify, BBC News, Chess, LibreOffice, FireFox, popular streaming multimedia sites and social media sites directly on your NAS.
ASUSTOR’s two step authentication is specious and extremely vulnerable and only provides false sense of added security.
If you set 2 step authentication for an account, it only works through ADM (the WEB GUI on https port 8001). Nevertheless ASUSTOR Android apps (e.g. AiData and AiMaster) still use only 1 step authentication with the same account on the very same port (e.g. https 8001). It practically means that you can get all the content and functions of your NAS without the second authentication step, knowing only the password of the account. With AiMaster you can even easily create a new admin account without 2 step authentication what makes you able to login through ADM as admin without the second factor.
I warned ASUSTOR last May but they don’t care. Even after major version upgrades (e.g. ADM 3.0) there is no change regarding this vulnerability. I think it is a very good example of promoting a product with new security features without the proper implementation. ASUSTOR is deceiving and betraying the consumers as they don’t show any intention to correct the issue. For me it was a major feature when I decided to buy ASUSTOR but at the and it turned out that it is only a hocus-pocus.
I also find it very unfortunate that reviewing sites are not able to discover and draw attention to such specious behavior.
Best regards
My phone is with me all the time and the authenticator is installed in the same phone. For the apps within the phone, the concern for 2 step authentication is less for me. Of course, it is still better to add 2 step authentication for the high security concern but at the same time cumbersome.
The essence of two factor (or two step) authentication is that if an attacker anyhow takes possession of your password (first factor) he still won’t be able to access your system without knowing (or having) the second factor.
As a general rule, security always comes with a price, so it is always more “cumbersome”. (There Ain’t No Such Thing As A Free Lunch…)
It is ok if someone is satisfied with the provided security of a one factor authenticated system,
whether using Windows, Linux, Android or IOS to access the system. Obviously it is much more convenient (and also less secure). But on the other hand, on whatever reason you want to reach the higher security level that two step authentication can provide (on the price of being more “cumbersome”), it is only reasonable with proper implementation (consistently applied on all potential access interfaces of the system).
There are good examples of proper implementations of two step authentication where the second factor is required to login on all client platforms (e.g. Protonmail requires second factor on both Windows and Android consistently).
There are some solutions though that try to achieve trade-off between security and convince. Systems like Gmail for example can be set to ask only once for the second factor on a specific client device but at least once the user still has to be able to provide the second factor for the first login on every client device regardless of the client platform. This way you sacrifice part of the added security for convenience but the this solution still has to be implemented consistently on all client platforms.
Hi Gymagyari
I’ve forwarded the info you have provided to my contact and he’s forwarded it to the right department. You should have gotten an email from the support staff too. The issue is being looked into and the R&D department will be starting to revise the issue. Hopefully, that restores your faith a little and I hope you’ll soon have the security of your dreams in your setup.