When a backdoor is discovered in a product, you would expect the product’s maker to fix it quickly.
Western Digital makes some amazing personal cloud products. I personally use, and love these products. Unfortunately, it appears that security is not high on the list of Western Digital’s priorities.
We first reported on the vulnerabilities affecting the WD MyCloud products back in March of 2017. These, and more vulnerabilities were independently discovered by another researcher in June of last year. The researcher, James Bercegay, with GulfTech Research and Development reported what the details of these vulnerabilities were.
WD MyCloud devices allowed for unrestricted file upload, which would allow an attacker to upload files to the device remotely. Bercegay exploited this vulnerability by uploading web shells which gave him full control over the unit.
A hardcoded backdoor account allowed attackers to login to any device using a standard username and login. Although this was not an admin login, Bercegay was able to utilize other vulnerabilities to gain root access through this login. With this backdoor, attackers could attack a user’s network through the drive itself.
The following devices were vulnerable.
My Cloud Gen 2
My Cloud PR2100
My Cloud PR4100
My Cloud EX2 Ultra
My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud DL2100
My Cloud DL4100
MyCloud Home devices do not have these vulnerabilities.
Western Digital has patched the vulnerabilities in a firmware update in November of 2017. As WD MyCloud user, I’m not happy with the time it took Western Digital to issue this patch. While my current drive was not one of the affected, it doesn’t give me much confidence that Western Digital is concerned about my security. If you have one of the above listed devices, ensure that it is up to date with the latest firmware.