Open in app

Sign in

Write

Sign in

IT Security: Twonky Server unprotected servers open on the web

Alessandro Giovanardi
2 min readNov 30, 2019

--

After a brief Shodan safari I hunted more than 20000 (yes, 20k!) unprotected (no login/password protected) Twonky media server are running wild on the internet allowing unauthorized access to third parties users.
At the time of writing there are several known exploit to attack Twonky running devices and compromise the users privacy more than what can be already done accessing a (supposed to be) private storage online.

Example of unprotected Twonky Media Server

For the less informed let’s see what a Twonky Server is, according to Twonky’s self definition.

"[...]Twonky Server is the industry leading DLNA/UPnP Media Server from Lynx Technology that enables sharing media content 
between connected devices. Twonky Server is used worldwide and is available as a standalone server 
(end user installable, e.g. for PCs/Macs) or an embedded server for devices such as NAS, routers/gateways and STBs.

Twonky Server’s web UI provides optimal capability for you to easily and reliably control and play back your 
media files in a variety of ways, and to “beam” those media files to other connected devices." --extract from https://twonky.com

The following are some quick stats related to devices running Twonky servers:

Top Countries:
1. United States
2. Germany
3. Korea
4. Russian Federation
5. France
6. Italy
7. Taiwan
8. Poland
9. Hungary
10. United Kingdom

TwonkyMedia Server seems too be pre installed on a huge range of NAS devices. For example the following NAS devices:
- Thecus N2310
- Thecus N4560
- WDMyCloud,
- MyCloudEX2Ultra,
- WDMyCloudEX4,
- WDMyCloudEX2100,
- QNAP,
- Zyxel NAS326,
- Zyxel NAS542,
- Zyxel NSA310,
- Zyxel NSA310S,
- Zyxel NSA320,
- Zyxel NSA325-v2

Other devices:
- Belkin routers
- Zyxel EMG2926-Q10A

It is really common that a device you are using, as a smart connected TV, NAS, Router or even computers themselves it’s operating a TwonkyServer to accomplish with its task of sharing files over a predefined network. This means that users mostly of the times aren’t even aware that they has this software running on their connected devices. It’s urgent that if you are not sure about the possibility your devices are running such software on unprotected mode you must take action now and secure access with a login and password.

All TwonkyMedia Server versions between 7.0.11 -> 8.5 have been tested as vulnerable. 
While writing this advisory 8.5.1 is the latest version available:
https://twonky.com/downloads/index.html

It’s crucial that you upgrade your Twonky Server to latest version to avoid loss of confidential data.

Hope this helps your own privacy!

Stay safe, stay crypto.

Security
Twonky
Exploit
Web Security
It Security

--

--

Alessandro Giovanardi
Alessandro Giovanardi

Written by Alessandro Giovanardi

34 Followers
57 Following

Take your time, mate.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams