Western Digital 'My Cloud' devices have a hardcoded backdoor -- stop using these NAS drives NOW!
I must be honest -- I am starting to become fatigued by all of the vulnerabilities and security failures in technology nowadays. Quite frankly, between Spectre and Meltdown, I don't even want to use my computer or devices anymore -- I feel exposed.
Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital My Cloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files could be at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company apparently did nothing until November 2017. Let's be realistic -- not everyone stays on top of updates, and a backdoor never should have existed in the first place.
"Exploiting this issue to gain a remote shell as root is a rather trivial process. All an attacker has to do is send a post request that contains a file to upload using the parameter 'Filedata', a location for the fileto be upload to which is specified within the 'folder' parameter, and of course a bogus 'Host' header," says James Bercegay, GulfTech Research and Development.
Bercegay further explains, "The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc."
But wait -- why does a Western Digital product have a hardcoded username containing dlink? Weird right? The researchers did some investigating and found that the WD NAS devices once shared code with D-Link "Sharecenter" devices. Interestingly, these D-Link devices were issued patched firmware in 2014 and no longer contain the backdoor.
Bercegay shares the timeline below. As you can see, WesternDigital had plenty of time to fix this. It was reported in June of last year, but apparently, nothing was done for many months.
- 2017-06-10: Contacted vendor via web contact form. Assigned case #061117-12088041.
- 2017-06-12: Support member Gavin referred us to WDC PSIRT. We immediately sent a PGP encrypted copy of our report to WDC PSIRT.
- 2017-06-13: Received confirmation of report from Samuel Brown.
- 2017-06-16: A period of 90 days is requested by vendor until full disclosure.
- 2017-12-15: Zenofex posts disclosure of the upload bug independantly of my research
- 2018-01-03: Public Disclosure
If you aren't sure if your My Cloud Storage device is affected, please check against the below list. If your model is listed, you should unplug it from Ethernet immediately. Apparently, firmware 2.30.172 (issued November 2017) fixes the bug, so do not reconnect to the internet until you are sure that your device is updated and the vulnerability is patched.
- My Cloud Gen 2
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX2 Ultra
- My Cloud EX2
- My Cloud EX4
- My Cloud EX2100
- My Cloud EX4100
- My Cloud DL2100
- My Cloud DL4100
Please know, even if you updated the firmware in November, your files could have been accessed by nefarious people before then -- for years. That is very scary.
How does this situation affect your opinion of Western Digital? Tell me in the comments below.