Western Digital’s My Cloud Storage Devices Have Hard-Coded Backdoor

Western Digital’s My Cloud Storage Devices Have Hard-Coded Backdoor

Western Digital’s My Cloud network attached storage (NAS) devices claim to offer an easy, all-in-one solution for storing your data at home. However, they might also be providing an easy, all-in-one solution for hackers to steal your data take control of your device. Western Digital was told about the vulnerabilities last year but has yet to patch many devices.

A Western Digital My Cloud NAS starts at less than $200 for a few terabytes with a single disk. It goes up to about $700 in the largest 16TB dual-drive system. Then there are the My Cloud EX series devices, which are more like a traditional NAS with user-accessible drive bays. These might cost well over $1,000 once equipped with drives. The majority of Western Digital’s network storage products are affected by the vulnerability.

According to researchers at GulfTech, WD’s NAS boxes use a broken security model that allows remote attackers to upload files and gain root access, but that’s not all. There’s also a hard-coded backdoor that could allow anyone to access your files. It’s really a mess.

The My Cloud devices are designed to be accessible by the owner locally as well as over the internet. It turns out someone else can ping the NAS remotely with a request to upload a file in such a way that the NAS lets them in. The researchers created a proof-of-concept module that can gain root access to the device, potentially allowing access to all the files contained in the NAS.

Drives inside a My Cloud Mirror backup NAS.
Drives inside a My Cloud Mirror backup NAS.

Things are made even worse by WD’s inclusion of a hard-coded backdoor. These devices contain an admin username “mydlinkBRionyg” and password “abc12345cba,” allowing anyone to log in remotely. This is hard-coded in the binary, so users cannot change it or revoke access. That makes the buggy code above extremely easy to access. An attacker could even hack the My Clouds on your network by tricking you into visiting a webpage with an embedded iframe that makes the login request.

GulfTech notified Western Digital of the vulnerabilities in June of last year, and the company requested a 90-day window to push out updates. Many devices still lack updates after six months, so GulfTech published its analysis. As of now, any of the affected models on firmware older than 4.x is vulnerable. If that’s you, it might be smart to disconnect the My Cloud for now, or at least put it someplace in your network where it can’t access the internet.

Continue reading

Top-Secret ‘Zuma’ Satellite Launched by SpaceX May Have Been Lost

The recent "Zuma" launch appeared to go off without a hitch, but now there's reason to think the US spy satellite might have been destroyed before going into operation.

What is Speculative Execution?

Speculative execution has been in the news of late, typically when discussing the Meltdown and Spectre bugs. We explain the topic.

OnePlus May Have Accidentally Sent Clipboard Data to Chinese Server

The latest beta version of its custom "OxygenOS" Android build was sending user clipboard data to a server in China. Oops.

CES 2018 in Photos: What We Remember Most

CES is always an overwhelming cacophony of sights and sounds, but a few images always stand out. Here are a few of our favorites from this year's show.