Western Digital’s My Cloud Storage Devices Have Hard-Coded Backdoor

Western Digital’s My Cloud Storage Devices Have Hard-Coded Backdoor

Western Digital’s My Cloud network attached storage (NAS) devices claim to offer an easy, all-in-one solution for storing your data at home. However, they might also be providing an easy, all-in-one solution for hackers to steal your data take control of your device. Western Digital was told about the vulnerabilities last year but has yet to patch many devices.

A Western Digital My Cloud NAS starts at less than $200 for a few terabytes with a single disk. It goes up to about $700 in the largest 16TB dual-drive system. Then there are the My Cloud EX series devices, which are more like a traditional NAS with user-accessible drive bays. These might cost well over $1,000 once equipped with drives. The majority of Western Digital’s network storage products are affected by the vulnerability.

According to researchers at GulfTech, WD’s NAS boxes use a broken security model that allows remote attackers to upload files and gain root access, but that’s not all. There’s also a hard-coded backdoor that could allow anyone to access your files. It’s really a mess.

The My Cloud devices are designed to be accessible by the owner locally as well as over the internet. It turns out someone else can ping the NAS remotely with a request to upload a file in such a way that the NAS lets them in. The researchers created a proof-of-concept module that can gain root access to the device, potentially allowing access to all the files contained in the NAS.

Drives inside a My Cloud Mirror backup NAS.
Drives inside a My Cloud Mirror backup NAS.

Things are made even worse by WD’s inclusion of a hard-coded backdoor. These devices contain an admin username “mydlinkBRionyg” and password “abc12345cba,” allowing anyone to log in remotely. This is hard-coded in the binary, so users cannot change it or revoke access. That makes the buggy code above extremely easy to access. An attacker could even hack the My Clouds on your network by tricking you into visiting a webpage with an embedded iframe that makes the login request.

GulfTech notified Western Digital of the vulnerabilities in June of last year, and the company requested a 90-day window to push out updates. Many devices still lack updates after six months, so GulfTech published its analysis. As of now, any of the affected models on firmware older than 4.x is vulnerable. If that’s you, it might be smart to disconnect the My Cloud for now, or at least put it someplace in your network where it can’t access the internet.

Continue reading

Google Pixel Slate Owners Report Failing Flash Storage
Google Pixel Slate Owners Report Failing Flash Storage

Google's product support forums are flooded with angry Pixel Slate owners who say their devices are running into frequent, crippling storage errors.

The Xbox Series S Is Handicapped by Its Storage Capacity
The Xbox Series S Is Handicapped by Its Storage Capacity

The Xbox Series S has been favorably received, for the most part, but the console's low base storage makes the Xbox Series X a better value for a lot of people.

Google Kills Free Photo Storage, Changes What Counts Toward Storage Caps
Google Kills Free Photo Storage, Changes What Counts Toward Storage Caps

Google has announced some significant changes to Photos, especially if you use the service for automatic backup.

Seagate Announces Its Own RISC-V Cores for Future Storage Controllers
Seagate Announces Its Own RISC-V Cores for Future Storage Controllers

To hit its 50TB per-drive target over the next few years, Seagate decided it needed a custom storage controller. RISC-V offered a solution.