The WD My Cloud line has been found to be vulnerable to multiple attacks and while one bug was fixed, other ones were introduced. That is the bad news and the maybe worse news is, that the flaws are public knowledge now. With that in mind, you might want to kill the internet connection to your WD My Cloud device, if you have one running.
Exploitee.rs discovered a number of unpatched security flaws in Western Digital’s My Cloud models that let remote intruders bypass the login system altogether, insert their own commands, and upload files without any permissions at all. Those are some serious flaws.
The reason that the researchers went public with their findings right away instead of reporting them back to WD is that WD has a very bad reputation in that regard. For example, the vendor won a “Pwnie for Lamest Vendor Response” at the last BlackHat conference in Vegas in a situation where the vendor ignored the severity of a set of bugs reported to them. By going public with the information, Exploitee.r hopes to force WD to react and patch the flaws.
While forcing WD’s hand, the researchers also put users are at risk until the flaws are patched. So it is highly recommended that you disconnect any of these devices from the Internet. They’ll still be vulnerable locally through your ethernet connections, but that is a lot harder for hackers to gain access to.
The full blog post goes into details on how to reproduce and exploit the hack through the web interface’s source code, and it also explains why it’s possible. In short, bad coding skills and misuse of commands. There is even a demo video on YouTube which shows you how it is done. The scary part is how easy it is. Now we only can hope that WD patches these issues as soon as possible.
Most, if not all, of the research, can be applied to the entire series of Western Digital My Cloud products. This includes the following devices:
And number of bugs found in total is the scariest part:
SK Hynix has claimed to be the first company to mass-produce 321-layer NAND memory chips.…
SOUNDS GREAT – Full stereo sound (12W peak power) gives your setup a booming audio…
Special Edition Yoshi design Ergonomic controller shape with Nintendo Switch button layout Detachable 10ft (3m)…
Fluid Motion: These flight rudder pedals are smooth and accurate that enable precise control over…
Heavy Equipment Bundle: Includes a steering wheel for heavy machinery, gas and brake pedals, and…
Low-profile Keys for an ergonomic gaming experience. With slimmer keycaps and shorter switches, enjoy natural…