For just one technique, read up on DNS rebinding attacks vs home "routers". Same works against NAS devices.
These devices are so common that it is cost effective to do against a bunch of device+vuln combos in a mass drive-by fashion (served by compromised or shady ad networks or any of the other 100 methods that get you to follow a bad link).
Or there's going to be another taiwanese device or PC compromised on your LAN and it'll automatically portscan & metasploit all your network in 5 minutes.
Also don't think getting "targeted" means you have to be James Bond-special. It can mean someone found a prominent blog they'd like to inject their rogue ads on. Or you pissed someone off online and they got some script kiddies to spend 10 minutes to ruin your day and get their laughs (or $20 in bitcoin).
Dropbox's security guys will detect these after they get used a few times (before they get to you), unlike your taiwanese NAS vendor who will only do something half-assed 2 weeks after it hits the news. Or nothing when it doesn't hit the news, as often happens.
All in all the mindset that you have "LAN" or "intranet" that's a significant security perimeter is outdated even if you're nobody. Don't make a network that's "hard and crunchy on the outside, soft and chewy on the inside".
Well, it the rebind attacks depends on multiple weak points. Our DNS cache does not allow for external DNS servers to return IP addresses from our internal range. But I guess not everyone's router does that.
These devices are so common that it is cost effective to do against a bunch of device+vuln combos in a mass drive-by fashion (served by compromised or shady ad networks or any of the other 100 methods that get you to follow a bad link).
Or there's going to be another taiwanese device or PC compromised on your LAN and it'll automatically portscan & metasploit all your network in 5 minutes.
Also don't think getting "targeted" means you have to be James Bond-special. It can mean someone found a prominent blog they'd like to inject their rogue ads on. Or you pissed someone off online and they got some script kiddies to spend 10 minutes to ruin your day and get their laughs (or $20 in bitcoin).
Dropbox's security guys will detect these after they get used a few times (before they get to you), unlike your taiwanese NAS vendor who will only do something half-assed 2 weeks after it hits the news. Or nothing when it doesn't hit the news, as often happens.
All in all the mindset that you have "LAN" or "intranet" that's a significant security perimeter is outdated even if you're nobody. Don't make a network that's "hard and crunchy on the outside, soft and chewy on the inside".