The WD My Cloud line has been found to be vulnerable to multiple attacks and while one bug was fixed, other ones were introduced. That is the bad news and the maybe worse news is, that the flaws are public knowledge now. With that in mind, you might want to kill the internet connection to your WD My Cloud device, if you have one running.
Exploitee.rs discovered a number of unpatched security flaws in Western Digital’s My Cloud models that let remote intruders bypass the login system altogether, insert their own commands, and upload files without any permissions at all. Those are some serious flaws.
The reason that the researchers went public with their findings right away instead of reporting them back to WD is that WD has a very bad reputation in that regard. For example, the vendor won a “Pwnie for Lamest Vendor Response” at the last BlackHat conference in Vegas in a situation where the vendor ignored the severity of a set of bugs reported to them. By going public with the information, Exploitee.r hopes to force WD to react and patch the flaws.
While forcing WD’s hand, the researchers also put users are at risk until the flaws are patched. So it is highly recommended that you disconnect any of these devices from the Internet. They’ll still be vulnerable locally through your ethernet connections, but that is a lot harder for hackers to gain access to.
The full blog post goes into details on how to reproduce and exploit the hack through the web interface’s source code, and it also explains why it’s possible. In short, bad coding skills and misuse of commands. There is even a demo video on YouTube which shows you how it is done. The scary part is how easy it is. Now we only can hope that WD patches these issues as soon as possible.
Most, if not all, of the research, can be applied to the entire series of Western Digital My Cloud products. This includes the following devices:
And number of bugs found in total is the scariest part:
Electronic Arts (EA) announced today that its games were played for over 11 billion hours…
Steam's annual end-of-year recap, Steam Replay, provides fascinating insights into gamer habits by comparing individual…
GSC GameWorld released a major title update for STALKER 2 this seeking, bringing the game…
Without any formal announcement, Intel appears to have revealed its new Core 200H series processors…
Ubisoft is not having the best of times, but despite recent flops, the company still…
If you haven’t started playing STALKER 2: Heart of Chornobyl yet, now might be the…