Measuring security posture of NAS third-party packages ecosystem: an empirical analysis

Abstract

Network-Attached Storage (NAS) devices are essential in the IoT ecosystem, widely used for enterprise data exchange and personal cloud storage. Managed via web-based interfaces and network file-sharing protocols, they are increasingly integrated with cloud services, making them vulnerable to cyber threats. While previous research has focused on NAS firmware and public port security, the security of NAS third-party packages remains largely unexplored. These packages, integrated through web services and APIs, introduce new attack surfaces. To address this gap, we propose NASScanner, an analysis framework for automated package collection, preprocessing, and security assessment. Using NASScanner, we conducted the first large-scale security measurement of NAS third-party packages, analyzing 1,489 packages—the largest dataset of its kind. Our study examined third-party component security, attack mitigation measures, and sensitive information exposure. Leveraging LLM-powered binary analysis (BinaryAI) performs semantic-level function similarity detection, enabling accurate identification of insecure third-party components. Our findings reveal critical security concerns: ① Extensive vulnerabilities. 689 packages contain 36,162 vulnerabilities linked to 4,167 distinct CVEs. ② Low mitigation implementation. Only 22.3% of packages employ Position Independent Executable for security. ③ Sensitive data exposure. 45.87% of packages risk data leaks, with 23,821 instances of direct exposure on the open internet. Our findings highlight significant security risks in NAS third-party packages and provide valuable insights to enhance NAS device security.