Under the Covers
Figure 22 shows the main board of the ix2.
Figure 2: ix2 Main Board
As you can see, it's pretty sparse. Most of the functionality is provided by Marvell's 88F5182 "Orion" Network Storage Processor. The two Hynix chips at the top are the 128 MB of RAM and the Spansion device on the right provides 4 MB of flash. You can't see the Ethernet chip, but if it's like all other Orion-based NASes, it's a Marvell 88E1118.
As usual, I always try to get command-line access to find out more about what makes a NAS tick. In my review of Iomega's original StorCenter Terabyte, I found that I could exploit a bug to easily share the top-level operating system directory using the web interface. Once the OS was shared, I created a startup script to fire off a telnet daemon allowing me to log in as root. Very easy.
This time, I started down the same path, but I found that Iomega had tightened up their interface quite a bit. Attempts to share anything other than the standard directories were properly caught and rejected. And since the interface was encrypted using HTTPS, I couldn't use an argument-modifying HTTP proxy to make arbitrary changes to the passed-in arguments.
Another exploit I often try is injecting shell commands using the email address specified in the alert form. I tried this and my attempts were once again caught and rejected. What to do?
One possible vulnerability I noticed during my testing was the new "search" capability. I suspected that whatever search term I put in the form would eventually be passed to a shell script on the system to do the actual work. If the search input was not properly processed to remove characters that should not be found in search terms, then it might be possible to submit Linux commands to the search function and have them processed by Linux.
Long story, short, I found that the ix2 did, in fact, have this vulnerability. Not only was I able to submit commands, but could have them reference a script that I stored on an ix2 share. By modifying the script, I was able to find daemons for both SSH and Telnet, enable a commented-out startup script for SSH, create a new privileged user, reboot, and get Linux shell root access that was persistent across reboots. (Figure 20)
Figure 20: Logging in to the ix2
When logged in, I found a standard embedded Linux system with 128 MB of RAM, running version 126.96.36.199 of the kernel and using common Linux apps such as busybox for utilities and Samba for file sharing. UPnP AV support was being supplied by a Twonkyvision server.
To determine how the ix2 was sending email with no SMTP server specification, I checked out the system log and saw a reference to a commercial SMTP service, authsmtp.com. Looking around for drivers, I saw support for a number of different filesystems such as xfs, ext2, FAT, etc.
Since there is a lot of GPL software in use on the ix2, Iomega should be supplying source code as required by the license. I couldn't find source to the ix2 on Iomega's web site or on the included CD. But they do have source posted for their other products, so I assume they'll make it available soon.
Since the search capability I used to hack the box is available to anyone on the network, anyone could perform the same operation without even logging in. And it would be easy to cause mischief by formatting a URL that embedded a command to do a reboot, reformat, re-initialize, password change, etc.
So I thought it only fair to report the vulnerability to Iomega before posting this review. Iomega responded quickly and has posted Version 188.8.131.52694 firmware that closes the hole.
The ix2 isn't a bad little NAS and has some unique capabilities that I haven't seen previously, most notably Bluetooth connectivity and IP camera management. And as with the original StorCenter, its price is one of the main draws. At the current low price of $422, it beats out the Maxtor Central Axis Business Edition by $60 and has a better feature set, RAID recovery and write performance, too.
The ix2 did much better than its predecessor with failure-recovery after a disk fail. But it's unfortunate that Iomega doesn't support user replacement of failed drives or at least doesn't void your warranty if you open the box to attempt data recovery before shipping it back to Iomega.
If you're looking for more features and performance and don't mind paying more, my picks would be the Qnap TS-209 or the Netgear ReadyNAS Duo. But if you're on a tight budget, can live without fancier features, are ok with mid-teen MB/s performance and want a lot of storage for the buck, then you might consider the ix2.