News reports about Western Digital's implementation of new security measures started appearing online last week—My Cloud product owners were puzzled upon discovering that their access to cloud services had been blocked. Devices not updated with the latest firmware - version 5.26.202 (My Cloud) and 9.4.1-101 (My Cloud Home, SanDisk ibi) - were and continue to be barred from the start date effective June 15. This relatively new measure has been implemented in order to prevent further exploits of security vulnerabilities. WD is likely shoring up its online defenses following a major cyber attack on its My Cloud back in March, a hacker group demanded a hefty ransom fee for the return of private customer data. WD restored My Cloud services by mid-May, and released several software updates and security fixes.

According to a company security bulletin (issued last week): "Devices on firmware below 5.26.202 will not be able to connect to Western Digital cloud services starting June 15, 2023, and users will not be able to access data on their device through mycloud.com and the My Cloud OS 5 mobile app until they update the device to the latest firmware...Users can continue to access their data via Local Access." The latest fixes should protect customers from unauthorized access and ransomware attacks, but WD has not provided any further news about any ongoing negotiations with the hacker group behind the Spring data breach.

Western Digital has seemingly been shipping their My Cloud personal network attached storage solutions with an integrated backdoor. It's not really that complicated a backdoor either - a malicious user should always be able to use it. That stems from the fact that it's a hard coded backdoor with unchangeable credentials - logging in to someone's My Cloud is as simple as inputing "mydlinkBRionyg" as the Administrator username and "abc12345cba" as the respective password. Once logged in, shell access is unlocked, which allows for easy injection of commands.

The backdoor has been published by James Bercegay, with GulfTech Research and Development, and was disclosed to Western Digital on June 12th 2017. However, since more than 6 months have passed with no patch or solution having been deployed, the researchers disclosed and published the vulnerability, which should (should) finally prompt WD to action on fixing the issue. Making things even worse, no user action is required to enable attackers to take advantage of the exploit - simply visiting malicious websites can leave the drives wide open for exploit - and the outing of a Metasploit module for this very vulnerability means that the code is now out there, and Western Digital has a race in its hands. The thing is, it needn't have.