Friday, January 5th 2018
Western Digital Ships "Someone's Backdoor" With My Cloud Drives
Western Digital has seemingly been shipping their My Cloud personal network attached storage solutions with an integrated backdoor. It's not really that complicated a backdoor either - a malicious user should always be able to use it. That stems from the fact that it's a hard coded backdoor with unchangeable credentials - logging in to someone's My Cloud is as simple as inputing "mydlinkBRionyg" as the Administrator username and "abc12345cba" as the respective password. Once logged in, shell access is unlocked, which allows for easy injection of commands.
The backdoor has been published by James Bercegay, with GulfTech Research and Development, and was disclosed to Western Digital on June 12th 2017. However, since more than 6 months have passed with no patch or solution having been deployed, the researchers disclosed and published the vulnerability, which should (should) finally prompt WD to action on fixing the issue. Making things even worse, no user action is required to enable attackers to take advantage of the exploit - simply visiting malicious websites can leave the drives wide open for exploit - and the outing of a Metasploit module for this very vulnerability means that the code is now out there, and Western Digital has a race in its hands. The thing is, it needn't have.Exploitable models of Western Digital's MyCloud devices include My Cloud Gen 2, My Cloud EX2, My Cloud EX2 Ultra, My Cloud PR2100, My Cloud PR4100, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100. Needless to say, until a patch is issued, the best thing to do is to thoroughly disconnect these drives from your local area network and Internet access. But that isn't what users originally bought these drives for, now is it, WD?
Sources:
GulfTech.org, via TechSpot, Packet Storm Security
The backdoor has been published by James Bercegay, with GulfTech Research and Development, and was disclosed to Western Digital on June 12th 2017. However, since more than 6 months have passed with no patch or solution having been deployed, the researchers disclosed and published the vulnerability, which should (should) finally prompt WD to action on fixing the issue. Making things even worse, no user action is required to enable attackers to take advantage of the exploit - simply visiting malicious websites can leave the drives wide open for exploit - and the outing of a Metasploit module for this very vulnerability means that the code is now out there, and Western Digital has a race in its hands. The thing is, it needn't have.Exploitable models of Western Digital's MyCloud devices include My Cloud Gen 2, My Cloud EX2, My Cloud EX2 Ultra, My Cloud PR2100, My Cloud PR4100, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100. Needless to say, until a patch is issued, the best thing to do is to thoroughly disconnect these drives from your local area network and Internet access. But that isn't what users originally bought these drives for, now is it, WD?
17 Comments on Western Digital Ships "Someone's Backdoor" With My Cloud Drives
What the hell WD...
So it's basically a set of critical vulnerabilities that leave the devices open to remote exploit, which WD were told about six months ago, and they did nothing?
Oh well. We'll all have forgotten about it in a week.
The NAS ones do come in single cheapos, too. That's the reason for buying the WDs. They're super cheap on clearance.
The single units usually aren't that cheap though, unless they are refurbished, and I wouldn't trust my data on a refurbished hard drive if WD was paying me to use the drive. And even the refurbished My Cloud drives aren't usually cheap enough to warrant buying just to shuck. The 4TB MyCloud refurbished is $150. You can get a brand new 4TB hard drive for $100. I've never seen a NAS unit on sale for cheap enough to buy just to shuck.
Then there are the WD MyCloud line of products which are NAS units. They come in single drive, dual drive and quad drive models. I bought a WD MyCloud EX2 (discless, as in no included drives) a while back and I wasn’t impressed with it. The WD interface software (Linux OS) implementation is extremely weak. One of the worst I’ve ever seen. If it is actually coming from D-Link then fine but but no matter what it’s not something you’ll likely want to use even if this security related issue were not a problem. I took my WD MyCloud EX2 offline long ago and upgraded to a Synology I bay model. I’m thinking of upgrading again to a QNAP 12 or 16 bay sometime this year.
Maybe something in the QNAP TVS-1282 line so it can double as a NAS and a DAS.