Western Digital’s My Cloud Storage Devices Have Hard-Coded Backdoor

Western Digital’s My Cloud Storage Devices Have Hard-Coded Backdoor

Western Digital’s My Cloud network attached storage (NAS) devices claim to offer an easy, all-in-one solution for storing your data at home. However, they might also be providing an easy, all-in-one solution for hackers to steal your data take control of your device. Western Digital was told about the vulnerabilities last year but has yet to patch many devices.

A Western Digital My Cloud NAS starts at less than $200 for a few terabytes with a single disk. It goes up to about $700 in the largest 16TB dual-drive system. Then there are the My Cloud EX series devices, which are more like a traditional NAS with user-accessible drive bays. These might cost well over $1,000 once equipped with drives. The majority of Western Digital’s network storage products are affected by the vulnerability.

According to researchers at GulfTech, WD’s NAS boxes use a broken security model that allows remote attackers to upload files and gain root access, but that’s not all. There’s also a hard-coded backdoor that could allow anyone to access your files. It’s really a mess.

The My Cloud devices are designed to be accessible by the owner locally as well as over the internet. It turns out someone else can ping the NAS remotely with a request to upload a file in such a way that the NAS lets them in. The researchers created a proof-of-concept module that can gain root access to the device, potentially allowing access to all the files contained in the NAS.

Drives inside a My Cloud Mirror backup NAS.
Drives inside a My Cloud Mirror backup NAS.

Things are made even worse by WD’s inclusion of a hard-coded backdoor. These devices contain an admin username “mydlinkBRionyg” and password “abc12345cba,” allowing anyone to log in remotely. This is hard-coded in the binary, so users cannot change it or revoke access. That makes the buggy code above extremely easy to access. An attacker could even hack the My Clouds on your network by tricking you into visiting a webpage with an embedded iframe that makes the login request.

GulfTech notified Western Digital of the vulnerabilities in June of last year, and the company requested a 90-day window to push out updates. Many devices still lack updates after six months, so GulfTech published its analysis. As of now, any of the affected models on firmware older than 4.x is vulnerable. If that’s you, it might be smart to disconnect the My Cloud for now, or at least put it someplace in your network where it can’t access the internet.

Continue reading

Google Now Blocks Logins From Uncertified Android Devices

Device makers are supposed to get certified before bundling Google services with a phone, but some smaller companies have been trying to fly under the radar by distributing unofficial Google packages. Well, no more.

Apple Missed FTC Memo, Once Again Bricking Repaired Devices

Apple appears to be up to its old tricks again and breaking Apple devices lawfully repaired by third-party vendors. The company's actions are, again, illegal.

ET Deals Roundup: Ring HD Video Doorbell only $100, Amazon Device Sale Continues, and more

Want to be able to see and hear whoever's at your door right from your smartphone? For a limited time, you can save 25 percent off the list price of the Ring Wi-Fi video doorbell. You can also save big on a high-end gaming rig, Kindle ereaders, 4K TVs, and much more with today's best deals.

New MIT ‘Dormio’ Device Controls Your Dreams to Boost Creativity

Hypnagogia has a reputation for promoting creativity and freedom of thought, so researchers from MIT have been investigating techniques to prolong this state.