Western Digital 'My Cloud' Devices Have a Hardcoded Backdoor

BrianFagioli shares a report from BetaNews: Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital MyCloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files are at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing. GulfTech Research and Development explains, "The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc." The My Cloud Storage devices affected by this backdoor include: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Firmware 2.30.172 reportedly fixes the bug, so make sure your device is updated before reconnecting to the internet.

12345?

12345? That's the same combination as my luggage!

Re: 12345?

nice, the username is more complex than the password. Although they did reverse 'abc' as 'cba' that's gotta help, right?

Re:12345?

[perpenso]

12345? That's the same combination as my luggage!

Per TSA regulations :-)

Re:12345?

Tha movie you're referencing came out 31 years ago. Your age is showing.

So?

Re:12345?

That quote is still relevant, though.

And it's spelled "THAT", by the way.

Re:12345?

No, it is showing that a simple way to break into something was known 31 years ago by a non-IT person yet the same stupid way of thinking about security is still being used today.

E.C.P.

Re: 12345?

[Khyber]

Nah. Always Be Careful... 12345... Can't Be Assed.

Re: 12345?

The Wizard of Oz came out before I was born but I've still seen it. Dumbass.

Re:12345?

[Ackmo]

Tha movie you're referencing came out 31 years ago. Your age is showing.

I'm shocked - shocked! - to find that old movie references are going on in here!

Re: 12345?

[I'm+New+Around+Here]

I've seen most of it.

Re:12345?

Whats your point. It was and continues to be an epic movie.

Re: 12345?

[JustOK]

Michael Jackson's BEST movie, IMHO

Re:12345?

[The+Grim+Reefer]

12345? That's the same combination as my luggage!

That's some pretty secure luggage. I've rarely seen luggage locks that go past 1234. Not that it matters. Even the ones the TSA can unlock they just throw away. I gave up on luggage locks within the first month of the existence of the TSA.

Re:12345?

Tha movie you're referencing came out 31 years ago. Your age is showing.

The only thing this reference is showing is that stupidity and ignorance, is timeless.

Re: 12345?

Heh. Now explain the username. :P

Re: 12345?

"My dick Brian omg"

Re:12345?

It's very fitting that your nick is "Jason1729" because your IQ is 17.29

Re: 12345?

âoeSpelledâ? Itâ(TM)s âoespeltâ

Bloody provincials!

Re:12345?

[elgatozorbas]

Your karma, Sir.

Re: 12345?

And this why Millennials suck.

Re:12345?

[EricTDuckman1414]

Tha movie you're referencing came out 31 years ago. Your age is showing.

The only thing this reference is showing is that stupidity and ignorance, is timeless.

"are timeless" Your verb number should agree with your subject.

Re:12345?

[crtreece]

I'm shocked - shocked! - to find that old movie references are going on in here!

Inconceivable!

"Hardcoded"?

[dfm3]

...have a hardcoded backdoor, meaning anyone can access them...

Firmware 2.30.172 reportedly fixes the bug...

I don't think that word means what the author thinks it means.

Re:"Hardcoded"?

[Jake+Griffin]

...it was disclosed to Western Digital six months ago and the company did nothing.

Firmware 2.30.172 reportedly fixes the bug...

Also, I don't think releasing a firmware update is doing nothing.

Re:"Hardcoded"?

[Jake+Griffin]

Their release notes even state that it resolves "critical security vulnerabilities" - https://community.wd.com/t/2-3...

Re:"Hardcoded"?

It means Superfag Kendall is getting a tattoo on the inside of his asshole that only Trump can read.

Re:"Hardcoded"?

[fisted]

"Bug"? Yeah, me neither.

As for "hardcoded", I don't think the word means what you think it means.

Re: "Hardcoded"?

If the login/password is not user configurable and requires a firmware update to change it, that is absolutely hardcoded. Hardcoded doesn't mean burning into ROM. It simply means that value is written into the code, instead of being pulled dynamically from config file, database, flash register, or something else easily reconfigurable by the user

Re: "Hardcoded"?

Sure it does... it means they are changing the password.

Re:"Hardcoded"?

I think you don't know what hard-coded means. Time for supper Timmy.

Re: "Hardcoded"?

This. Probably some harebrained "encryption algorithm" hastily copied from stack overflow.

Outsourcing and H1B programmers really make the best stuff.

Re: "Hardcoded"?

Please to do the needful and kys my main man.

Re:"Hardcoded"?

[sjames]

Hard coded means written into the software as opposed to being user configurable. So the author is correct and you were wrong.

Hardcoded is why it takes a firmware update to change it rather than go to setup page x and uncheck the box next to "big security hole".

Re:"Hardcoded"?

[pnutjam]

Well, since dlink patched the same hole (DLINK!) in 2014, yeah this is some shared codebase, and it was reported by security researchers in 2017, they really took their time.

Re:"Hardcoded"?

yes, I have that firmware and the user/pass don't work.

Re:"Hardcoded"?

Presumably the update changes the password to "abc12345cbb".

Re: "Hardcoded"?

[wierd_w]

Considering that I own one of these devices, AND I participate frequently on the WD community group for this device, I can confirm that the base package is identical between consumer and midsize business class offerings. I can *ALSO* confirm that we have proposed workable patches on many numerous occasions, in every "Leave feedback" location WD makes available. (Protip, THEY IGNORE US.)

At least on the older Gen1 consumer mycloud units, the web interface and the /etc/passwd file were hosted by a real, writable filesystem that could handle persistent changes, meaning that the information we share in the community pages could be used to correct the security vulnerabilities if you wanted to take the matter into your own hands. Many people did this.

On the Gen2 however, WD decided that the user being able to modify the root file system persistently was just not something they felt comfortable with. It is a ram-backed root file system from an initial ramdisk, into which a cramfs container gets automatically mounted at a defined mount point. The cramfs container contains the web UI, and all the major system binaries. /etc/passwd and pals are all obliterated on every boot, because they live in the initial ramdisk image.

That said, the hardware itself is *NOT* that bad. Just the horror-show WD offers software wise. (STAY THE FUCK AWAY FROM WD-SYNC.) There is a russian frequent contributor to the community site who has created instructions for a "From scratch" pure debian deployment on the Mycloud (both gen1 and gen2) units. This completely replaces the WD software with fully FOSS software, and gives the user full control over the unit.

Many people in the community board are Americans, like myself. We have proposed many solutions and fixes that we have locally implemented and given local testing to. We are not afraid to propose solutions, or to do things ourselves. The problem is that big companies do not feel comfortable testing things (Its a cost center! How horrible!!), and would rather just take a generic canned product, slap their name on it, and run. That is hardly an American thing.

The issue with H1B labor is that H1B software people often tend to do the same thing. They will take the homebrewed things people like myself make, (which have **NOT*** been sufficiently tested to mass deploy!!!!!!), slap their names on them and run with them, and their bosses, doing the same exact thing, are just peachy keen with this.

As for your assertion that we should make our own startups--- Do you have any idea how much the industry is stacked against new blood entering the market? Are you fucking delusional? Do you think that there are no people in the US that are just straight up makers, builders, and engineers who do shit for fun, who would love to make neat products available to people? The major reasons why we dont have many people doing that are two-fold; 1) Our erstwhile government frowns on individual thought and self-empowerment of the citizenry, and actively promotes a narrative that if you see your neighbor making something suspicious, he is probably an islamic terrorist making some kind of improvised explosive to blow your kids up on the bus with, or some crazy shit. The mainstream press eats that shit up like candy because it is over the top, and our culture is conditioned to soak it up like a sponge. There is a damned near moral panic against people doing neat stuff in garages these days. 2) Big corporations dont like new products entering the market, so they lobby to require "You must be this big to play" hurdles thrown in. Now, not only do you need to have a good idea and a working prototype, you need to have your entire product vetted for intellectual property form other vendors, even if you have no idea those vendors even exist, (and in many cases, are simply patent trolls!), which means hiring a small team of lawyers--- You also need investment capital to meet stringent manufacturing and materials use regulations, pay for init

predictable default hostnames

[perpenso]

... using one of the many predictable default hostnames ...

Good thing I renamed mine to "FutureCorruptedBackup" ;-)

Re:predictable default hostnames

>> to "FutureCorruptedBackup" ;-)

nice. rotflmao.. that's a good one.. great chuckle.. oh lord.. too funny... and oh i hope not so true..

Re: predictable default hostnames

It's very true.

WD did nothing!

"To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing." ... "Firmware 2.30.172 reportedly fixes the bug"

hmm...

Re:WD did nothing!

[Swave+An+deBwoner]

Firmware Release 2.30.172 (11/16/2017)

So, OK, June 16 to November 16 is only 5 months.

But their release notes don't even mention the severity of the problem and the importance of installing the updated firmware!

Re:WD did nothing!

[Jake+Griffin]

That was what I came here to point out. Their release notes even state that it resolves "critical security vulnerabilities" - https://community.wd.com/t/2-3...

Re:WD did nothing!

[Jake+Griffin]

Just read TFA... the summary cut off a critical piece of information. TFA states:

... the company apparently did nothing until November 2017.

Re:WD did nothing!

[Calydor]

Have you ever seen a patch that didn't say that, though?

Re: WD did nothing!

+1 Funny Truth

Re: WD did nothing!

It went into specifics of what vulnerability it fixed, though, which is less common.

Standard procedure

Whenever I buy a new external drive the first thing I do is repartition it to get rid of whatever shitty software they included and reformat it.

Re:Standard procedure

[Fly+Swatter]

You reformat the firmware too right, just to be sure?

Re: Standard procedure

Yes, I take their entire source tree and read every single bit of code before compiling it, and loading it on my device. Isnâ(TM)t that why itâ(TM)s called OpenSorce?

Re: Standard procedure

Can't be open source with all those trademarks you have in there.

Re:Standard procedure

[wierd_w]

You TOTALLY CAN do that on the MyCloud.

The boot loader looks for an unsigned kernel and initrd on a specific partition, formatted as FAT32, with a specific file name.

You can bake your own and put it on the drive, and the mycloud will boot that image and initrd without complaints.

In the community pages, we have been working on a straight up clean debian for quite some time. There are instructions on how to configure and compile your own kernel from the stock device tree.

2018

[santax]

How can it be possible that a big company like Western Digital constructs a backdoor to your personal data? Such a company - and it's owners - should shut down, prosecuted and put behind bars for many - many - years... This is not an accident. This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data. I for one will never buy another device from Western. Who knows what they have done to the IC's in their harddisks to provide access to my data. I can not look into a chip and they know that!

Re:2018

[Baron_Yam]

>How can it be possible that a big company like Western Digital constructs a backdoor to your personal data?

It's not unheard of for companies to do this on consumer devices, for technical support to assist people who lock themselves out of devices and don't want to lose data. Up until now I'd only ever seen it in rebranded modems bundled with DSL service, but for a while it was difficult to avoid.

I agree it was never a good idea, and nowadays it should be considered criminal.

Re:2018

It sucks, but you have no choice but to support international global corporations until you die.

Re:2018

[quantaman]

How can it be possible that a big company like Western Digital constructs a backdoor to your personal data? Such a company - and it's owners - should shut down, prosecuted and put behind bars for many - many - years... This is not an accident. This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data. I for one will never buy another device from Western. Who knows what they have done to the IC's in their harddisks to provide access to my data. I can not look into a chip and they know that!

It's a massive screwup, though we don't really know how it got there yet, a few quick scenarios are:
1) It could have been a deliberate backdoor for WD, the government, etc, that was sanctioned by the highest levels of the company, but this seems quite unlikely.
2) It could be a malicious employee (or even outside attacker) who introduced the backdoor for their own purposes.
3) An individual or team who didn't know any better put it there.
4) An individual or team added it for testing purposes, and people forget and never pulled it out.

My money would be on 3 or 4, reading the advisory from the security researcher it sounds like there was a lot of sloppiness in the WD code.

It sounds like it was inherited from another WD product that got patched in 2014 (but the patch was never ported to this device) so my money is on crappy software processes.

Re:2018

[bill_mcgonigle]

They probably didn't construct it - a low-bidder did.

"Brian" Y.G. reused the same code he did for the D-Link job, if one had to venture a guess.

That tells you something about WD's quality.

That they found out about this six months ago tells you something about their responsibility. It's actions like these that make class action attorneys drool while they mumble "willful negligence". It's cheaper to fix the code, IMO.

Re:2018

[santax]

I find 3 and 4 hard to believe. We all know what happened in the 90's when devices were not connected as much, but when this was common practice. GuestA B and C with the same password made my teenage years very exciting. These days, if an engineer does this in a company, I ask who is controlling the proces? Why wasn't the probably highly payed engineer unaware of the commonly know security practices... It's a F* up indeed and in a company the size of WD there probably are strict protocols and testing of devices... While I do agree that during development you need a standard account, it's hard to believe they just 'forgot' to remove it. One person might forget it, but a complete team that develops a new product not so much. They had a reason to keep it in and that reason probably had nothing to do with customer-care.

Re:2018

I'll tell you exactly how it got there: firmware and software development for consumer garbage like this is outsourced to the deepest, darkest bowels of China and India. The code is copied and pasted from the last project, or open source stuff is smashed together until it basically works and they ship it. In this particular case, maybe it was a convenience during development, or maybe there was an organized plan to take advantage of dumb (American) consumers who would never know any better.

Welcome to the future of embedded software development. Unless there is some way to make legal liability stick to the companies who are treating it like unimportant scut work to be sent to the lowest bidder.

Re:2018

[santax]

In all fairness, you probably have the truth in your hands here. Thanks for sharing it.

Re:2018

[mikael]

I remember buying a very early laptop which had BIOS password protection. One time I forgot the password, called the store asking how I can reset it. "Oh, you'll have to bring it into the store for our technicians to work on in our workshop. It has to be done there, as we can't let you see the recovery process." So I removed each back panel, found the password reset DIM switch, and reset the password.

Re:2018

[mikael]

Look at the string "dlink". I had a laptop (Sony Viao) that would spontaneously connect to a DLink router somewhere elsewhere in our neighborhood. By spontaneously connect, I mean wi-fi was disabled by the Linux GUI options, only to see the laptop connect spontaneously to a DLink router. Because the case of the laptop was used as the wi-fi antennae, it had 100 meters range.

Re:2018

[Nemyst]

This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data.

Oh, cut the crap out with the conspiracy theories. The MyCloud system is all about allowing external access of your data (so you have your own "cloud" hosted locally), so it makes sense there'll be a way to access it. This is just plain laziness combined with zero oversight and total carelessness. It's awful, WD should be ashamed of themselves, but jumping to the "IT'S THE GUBINMENT STEALIN YER DATA" just makes you look like a fool.

Re:2018

[julian67]

If it was cheaper to fix the code, they would fix the code. Clearly it's cheaper to ship many millions of hardware devices with insecure firmware and eventually, maybe, perhaps, pay a pittance to the tiny percentage of a tiny percentage of customers who notice and care and stay interested in an esoteric class action lawsuit about a company they can't name and a product they hardly remember even owning and which on cursory inspection seems to work fine.

Re:2018

[geekmux]

How can it be possible that a big company like Western Digital constructs a backdoor to your personal data? Such a company - and it's owners - should shut down, prosecuted and put behind bars for many - many - years... This is not an accident. This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data. I for one will never buy another device from Western. Who knows what they have done to the IC's in their harddisks to provide access to my data. I can not look into a chip and they know that!

Western Digital knows you opinion represents less than 1% of their current customer base. You mean less to them than the corporate coffee clerk being accused of sexual assault, which means they're not going to think twice about re-installing backdoors into their products if it provides them even the slightest benefit.

Consumers simply don't give a shit. Firmware update a storage device? That will never happen across 90% of deployed product unless Western Digital does it themselves in a fully automated manner.

Re:2018

5) It was intentionally and purposely put there for those times when a user contacts them (Yes, the real owner) sobbing uncontrollably because he seems to be locked out of his network drive because he forgot his password and all the pictures he had of his daughter are on there and she recently died in a car accident and he doesn't know what to do.

Re:2018

Based on the user name, it seems suspect that dlink makes these My Cloud devices. I guess WD just buys them, slaps a low performance drive in them and then slaps some branding on them

Re: 2018

This. It was probably there for testing and they never took it out.

Re:2018

You don't need any DIM switch on an BIOS'd laptop to remove a BIOS password.
Just remove the tiny BIOS battery planted inside the motherboard, some of them glued but easy to remove.

Re:2018

Backdoors for Technical support team? Those guys are useless if you're locked out with your Full Disk Encryption tool similar to vera or TrueCrypt.
Unless if the backdoor also uploads your FDE password to a server somewhere.

captcha: privacy

Re:2018

Weren't you the guy who keeps on telling me Linux is very secure and was designed with security in mind from the ground up?
Are you sure it wasn't Systemd initiating a WiFi connection to a dlink device?

Re:2018

Nice try russian.

Re:2018

Yes. The "code" that runs on MyBook Live and My Cloud is written but some 3rd grade Indian "coders" that have left comments with their names in it. They make even the simple operations in so indirect and awkward ways, that you have to think they have never actually seen linux. The duplicate shell commands and integrated utilities win custom scripts. I had to fix them more than once by reformatting the data partition to XFS (because ext4 is super dumb and slow).
However, you have SSH to these. If you do not inspect the /etc/passwd file then what good are you?

Re: 2018

I tried removing the motherboard battery to reset a BIOS password on my Asus laptop. It turns out there's a small embedded memory chip that stores the bios password and the only way to reset it is to solder it off the board.

Re: 2018

Open it up, take out the drive, plug it into your desktop. Zero reason to hard code backdoors like this.

Re:2018

You can bet your ass that the NSA backdoor isn't easy to find like this. If you find incompetence "hard to believe", you've got to be new to Earth.

Re:2018

[swb]

I think this is the best answer. I doubt "Western Digital" had much to do with the actual software development. They probably had some web designer approve the user interface look and feel for compliance to their design standards and the rest was done who knows where.

The downside to open source software seems to be the ease at which it allows multinationals to buy the cheapest software possible without actually having to invest much at all in software development, all they need is someplace minimally competent to glue together a bunch of open source components.

Re:2018

> It sounds like it was inherited from another WD product that got patched in 2014

It's funnier than that. It looks like WD's software is derived from DLink's software for the D-Link DNS-320L. D-Link fixed their own software for this flaw back in 2014. WD apparently didn't follow through with those updates.

Re:2018

People like to talk about how easy it is to sue, but it's actually pretty difficult to win. To successfully sue WD over this issue, you'd have to prove economic damages, and that those damages were caused by a breach of your "My Cloud" data, and that WD was grossly negligent. If you can't PROVE all three of those things, you lose.

Re: 2018

Do you really think customer support will tell the average user the solution is to disassemble the product? Would the average user even know how to open the case and connect the drive directly to a computer? Why am I even arguing with myself? Damn doctor needs to up my medication.

Re:2018

How can it be possible? Easy. For any large company, management doesn't give a crap about product quality or security audits as long as the product ships. NSA, FBI, or whatever agency bribes someone to insert backdoor into product. Management doesn't know and doesn't care. Everybody involved is a criminal either by deed or by deliberately not knowing what they should know and yet nobody gets arrested.

Re:2018

[coofercat]

1) Team A write version 1.0 of firmware for product X. Along the way, they put some hard-coded credentials in for testing.
2) Team B is tasked to work on firmware for product Y. They fork X1.0 as a starting point (possibly without clearly stating they are doing this to Team A, so Team A isn't really aware of their existence)
3) Team A fixes the issue in their code, makes 1.1 for product X. The uptake of the firmware by the public is 10% of the install base.
4) Poor internal communication, and the lack of urgency created by the poor up-take of the new firmware means Team B never hears about the update.
5) Team B produces 1.0 for product Y.
6) Product Y sells like hot-cakes, far eclipsing product X.

I don't know where you've worked, or for how long, but (4) seems to happen just about anywhere larger than a few hundred people. 'Commercial pressures' mean that Team B never really spend any time reviewing the code they inherited, and it's also possible Team B are the outsource, or the junior folks because they're only 'tweaking the code' for the new product, not writing low-level code from scratch.

I'll bet this sort of chain of events happens all over the place ("Team A" could be library or framwork writers, not just product folks). It probably doesn't 'leak' security problems every time though.

Re:2018

[sjames]

I'm not so sure I want to trust my data to crappy software processes.

Re:2018

I think this is the best answer. I doubt "Western Digital" had much to do with the actual software development. They probably had some web designer approve the user interface look and feel for compliance to their design standards and the rest was done who knows where.

The downside to open source software seems to be the ease at which it allows multinationals to buy the cheapest software possible without actually having to invest much at all in software development, all they need is someplace minimally competent to glue together a bunch of open source components.

Open source haven't changed anything in this regard except we can now run cleaner firmwares instead by stealing the hardware parts from bad firmwares and good copies of the rest of the software from the web.

Multinationals have always bought the cheapest thing they could get away with.

Re:2018

[erapert]

Parent post is kind of right.

Want to make a difference?
Go out of your way to use open source software. At home convert everything you have to open source software. At work just do it without even asking, just choose open source tech to base your stuff on (do I even have to say "as much as possible where it won't break things"??).

Microsoft, Intel, WD, Oracle etc. will start to get the message when their fat contracts stop getting renewed because real people who work in the tech industry are choosing vendors that screw them less badly or choose open source solutions instead.

Did anyone else notice how M$ all-a-sudden got real cozy and friendly with open source stuff in the past couple years? Yeah, they noticed that everyone was using Linux on their servers and that you can barely find even a single page of documentation for $LatestCoolFramework written for Windows rather than for *nix. When was the last time you heard everyone get excited about some ASP.NET thing or IIS or anything besides anger and annoyance at M$ and Windows 10? They tried to push their crappy little store and got a yawn or outright derision and hatred from people "who know how to use computers"; these are the same people that write the code and set up the servers and they remember the asshole moves that Oracle and M$ and Intel et al have made in the past. Microsoft noticed how they were the uncool jerks that all the programmers couldn't wait to get rid of... oh, and tralala see guys we're opening up the C# license stuff and absorbing Mono and implementing a Linux subsystem for Windows and here's this, like, totally cool text editor VisualStudio Code! See, guys and girls, we're like totally rad and cool now...

They'll worry. Oh, they'll worry. Just put the pressure on... but do we even care if they reform? We can't trust that they won't go back to their abusive ways if their bottom line starts to recover.

Strike abusive software companies at the neck: use open source software.

Re:2018

[Reziac]

I'd guess rather that this wifi thing being outside WD's field of expertise, they perforce relied on a contractor to have the required expertise.

How do you tell when someone doesn't actually know as much as they claim, when you know nothing about it at all?

And I expect they're not alone.

Re:2018

[geekmux]

Parent post is kind of right. Want to make a difference? Go out of your way to use open source software. At home convert everything you have to open source software. At work just do it without even asking, just choose open source tech to base your stuff on (do I even have to say "as much as possible where it won't break things"??). Microsoft, Intel, WD, Oracle etc. will start to get the message when their fat contracts stop getting renewed because real people who work in the tech industry are choosing vendors that screw them less badly or choose open source solutions instead. Did anyone else notice how M$ all-a-sudden got real cozy and friendly with open source stuff in the past couple years? Yeah, they noticed that everyone was using Linux on their servers and that you can barely find even a single page of documentation for $LatestCoolFramework written for Windows rather than for *nix. When was the last time you heard everyone get excited about some ASP.NET thing or IIS or anything besides anger and annoyance at M$ and Windows 10? They tried to push their crappy little store and got a yawn or outright derision and hatred from people "who know how to use computers"; these are the same people that write the code and set up the servers and they remember the asshole moves that Oracle and M$ and Intel et al have made in the past. Microsoft noticed how they were the uncool jerks that all the programmers couldn't wait to get rid of... oh, and tralala see guys we're opening up the C# license stuff and absorbing Mono and implementing a Linux subsystem for Windows and here's this, like, totally cool text editor VisualStudio Code! See, guys and girls, we're like totally rad and cool now... They'll worry. Oh, they'll worry. Just put the pressure on... but do we even care if they reform? We can't trust that they won't go back to their abusive ways if their bottom line starts to recover. Strike abusive software companies at the neck: use open source software.

Major vendors know your opinion represents less than 1% of their current customer base. Open-source takes far more effort than walking into [big-box store], buying crap off the shelf, and plugging it in. Laziness about technology coupled with an I-don't-give-a-shit-about-privacy mentality has been a vendors wet dream for many years now. That won't change no matter how many vulnerabilities you throw at the ignorant masses.

And no one will get "the message" because you're never going to convince your CxOs that open-source solutions are worth abandoning tried and true vendors they've entrusted for decades, so don't think for a minute the corporate world will adopt this mentality any better than the consumer world.

Would open-source likely be better? Yes, it would. So would the average consumer adopting common sense when it comes to privacy and security. Good luck with that.

Re:2018

You have to prove damages and they don't have to be economic numbnuts.

Re:2018

[mikael]

Not me. SystemD wasn't around at the time on Fedora. I still have the OS partition/drive, as at the same time, the DVD/CD drive stopped working, so I couldn't upgrade.

Re: 2018

If you put it into a Windows PC the first thing to happen is Windows saying it needs formatting before it can be used, the WD cloud drives are ext4 formatted.

This makes me glad I gave up on consumer NAS

[Baron_Yam]

I gave up on consumer NAS because the permissions suck - you can't integrate with a Windows domain. So these days my 'NAS' is a USB drive shared off my server.

ON the other hand, I'm not 100% certain (because of lack of interest once I had my own solution in place), but I believe many consumer router/modems now come with a USB port to share storage or a printer. I'd suggest investing some time in hunting down a router with that feature instead of going with a consumer NAS device.

On my third hand... I'm not entirely sure if permissions would work under that scenario or if the router would ignore them. Presumably it ends up acting as a gateway and may not support anything other than "Everyone - Full Control". And I've no idea what would happen with Linux or Mac users.

Re:This makes me glad I gave up on consumer NAS

[pnutjam]

I just use a low power linux box, what's the appeal to hardware NAS. They are usually just a poorly configured Linux version that doesn't get patched.

Re:This makes me glad I gave up on consumer NAS

[Baron_Yam]

>what's the appeal to hardware NAS.

At the consumer level, the appeal is that it's a small box you plug in and forget unless you want to move it.

That's why I replaced mine with a USB enclosure - so I can take the entire library wherever I want without carrying a large computer case, keyboard, and monitor with me.

Re:This makes me glad I gave up on consumer NAS

[pnutjam]

Why carry it, I can grab files via scp.

Re:This makes me glad I gave up on consumer NAS

[Baron_Yam]

Because for large amount of data, sneakernet is still more convenient.

Re:This makes me glad I gave up on consumer NAS

[pnutjam]

True. My "NAS" has a removable drive I use for offsite backups. I can grab a current copy of everything important and take it with me anytime.

WD is not what it used to be

[LeftCoastThinker]

I was a fan of WD for a long time, I even had a couple of their NAS My Book Live drives, which were quite nice for the price and were accessible directly over the LAN, but the new "My Cloud" drives require crappy software to work and require to always be online to work, both deal killers for me. These days I only buy HGST drives (yes, I know WD owns them, but they are still made by a different group).

Re:WD is not what it used to be

[thegarbz]

WD is everything they always were. Their software was always crappy, especially their drive tools. It stands to reason that more complex software remains equally crappy. Their drives however still are at the top of my buying list.

As for HGST being a different group, culture is inherited from the top. Don't bet the farm on them being safe from software quality issues because "different group".

backdoor!==secure

The issue appears to be one of control. Intel wants control of their chips so they put in a secret operating system, amd did the same. John Deer doesn't want farmers to fix their tractors, cars are sold with black boxes unable to be removed or GPS taggers by the dealership they sometimes forget to remove. OnStar can remotely disable your vehicle.

When we pay money for a product the issue of control is supposed to be that we have it, we have the item, we have the control. The idea is supposed to be that the 'free market' takes care of these problems, don't like your tractor from john deer get one from somewhere else, don't like intel or AMD go buy another chip etc. However in reality a core principle of free market is that leaders and monopolies rise or organizations will combine through mergers leaving little viable competition.

How to fix? Well we require access to technologies and blueprints for many of these products in order to replicate/fix/upgrade them which is something frowned upon in north america. It should not be though, we should have a central repository of knowledge that industry leaders or startups can reference for creating these items without having to play legal games and jump through hoops purchasing/leasing patents. We need to open this knowledge up for the public. I want to be able to create my own chips and circuit boards at home, which seems fantastical but I do not believe that it is, it just feels that way because we do not do this now and imagine it requires some sort of super science.

Western digitals backdoor is a symptom of a disease of ownership past the point of purchase which is afflicting north america, weakening us. We need more alternatives, we need a competitive market place, and we need to empower individuals to create.

Transposed

It's the MyCloud NSA drive

The subject is the *#^% article

I am shocked—shocked—to find that there is a back door in a "cloud" product.

Re:Superfag Kendall LOVES it up the backdoor!

How about you gettin' faggin'...

Flame Bait

From TFA "To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing. "
Yet after that they state "Firmware 2.30.172 reportedly fixes the bug."
So they did nothing, but they also fixed the bug in a new release of firmware?

I tried this ...

[CaptainDork]

... on my "WD Mycloud" wireless device that I purchased last year.

When I entered the username, "mydlinkBRionyg" (without the quotes), the text box had an "X" in it, saying, "Only administrator users are allowed."

I checked the firmware version and it does have the latest (2.30.172).

I do not allow access from outside the local LAN and I have to log in as Admin and enable "Share" in order to map a drive.

I leave Share activated only during the short period of time that it takes to copy files to/from the divice and then I disable Share again.

I'm hoping that "offline" condition protects me from intruders.

Re:I tried this ...

[110010001000]

"Exploiting this issue to gain a remote shell as root is a rather trivial process. All an attacker has to do is send a post request that contains a file to upload using the parameter 'Filedata[0]', a location for the fileto be upload to which is specified within the 'folder' parameter, and of course a bogus 'Host' header," says James Bercegay, GulfTech Research and Development.

Re: I tried this ...

[LordKronos]

When I entered the username, "mydlinkBRionyg" (without the quotes), the text box had an "X" in it, saying, "Only administrator users are allowed."

Please tell me their "fix" wasn't a JavaScript block to prevent you from entering the password for that user.

Re: I tried this ...

[CaptainDork]

1.) Read my post again and notice I never said I entered a password.

2.) I have no fucking clue what their fix was.

3.) I don't even know if their fix works.

Re: I tried this ...

[nine-times]

I think LordKronos was pointing out that the login page seemed to disallow you from trying to log into that account via a dynamic update to the web page (You went to log in and the text box updated with an X). Hopefully they actually did something more substantive to block the login, rather than simply inserting a script that blocks using that login-- the reason being that an attacker could block the script from running.

That's a bunch of speculation, and hopefully WD isn't that stupid.

Re: I tried this ...

[CaptainDork]

Thanks for the clarification, but I don't think WD is stupid.

I think the word we're looking for is, "incompetent."

Re: I tried this ...

their fix was to upgrade the password to 01234567890123456879

Re:I tried this ...

[Fusen]

I have an EX2 and tried the username and password on the 2.11.xx firmware and it didn't let me login.

I then read the actual original vulnerability release and you can't use the login details to sign into the UI, the username and password are hardcoded into a specific file that needs to be called via a HTTP(s) request. So you can just test this by attempting to login.

Re:I tried this ...

[CaptainDork]

Thanks, but hold my hand on this one, please.

I enter http://wdmycloud/ into my browser and, after some chum time, I'm presented with the login page.

The only name that works in the username field is Admin.

So you can just test this by attempting to login.

What am I doing wrong?

Thanks.

Re:I tried this ...

RTFA
The backdoor is not in the login page, its through a GET request for /cgi-bin/nas_sharing.cgi.

I tried the credentials on an older firmware version, and they don't work at the login page. But they do work through nas_sharing.cgi!
After updating to 2.30.172, the credentials don't work in either situation.

Re:I tried this ...

[CaptainDork]

Well, fry me for an oyster but I was hoping for a "do this," answer.

Thanks anyway.

Re: I tried this ...

That's a bunch of speculation, and hopefully WD isn't that stupid.

Yeah, hopefully your speculation is wrong, but it isn't entirely stupid. They could do that as a quick PR fix while working on getting out a real fix.

Jagger said it best

[alvinrod]

Jagger said it best: "Hey! You! Get off of my cloud!"

needs new name

[coolmoe2]

Perhaps "our cloud" would be more apt.

Huh?

Western Digital did nothing and they also fixed it via firmware. Huh?

Re:Huh?

[networkzombie]

They did nothing until months later. Why are there a myriad of anonymous posts claiming that WD was quick to fix this? Do we need a Western Digital Employee filter?

Re:Huh?

[Wulf2k]

Who said they were quick to fix it?

But if we have two pieces of information, "They did nothing" and also "it is fixed", then that causes some confusion.

herd speak

Non-issue because the warning used "literally". Next...

They also have a front door

Being explicitly cloud mirrored devices, once configured they automatically copy the contents to a 3rd party. And people buy these things.

*Points and Laughs* Ha Ha!

[bigmacx]

https://www.youtube.com/watch?v=VIXOOwthtaE

Way to go idiot WD programmers, QA, supervisors, managers, and your whole stupid operation.

Love you hard drives though.

Serious question

[RogueWarrior65]

So, let's say you're designing a Linux-based embedded system and you want to be able to make modifications and upgrades to the OS in the field. How do you allow for this without root access? And so what if the root user has a password? If you have to give that to a customer to perform these upgrades, that password is no longer secure.

Re:Serious question

[sky_khan72]

Making root account accessible from internet for upgrades? You must be joking. Why cant you develop an automatic update scheme like all others ? Device should ask a public server if there is an update, notify user if there is one, download and apply it if user wants.

Re:Serious question

You include a daemon that accepts signed update packages. This isn't rocket science.

Re:Serious question

[RogueWarrior65]

Well, not internet-based updating per se. But let's say you need to update certain libraries or perhaps install a new piece of software like PHP or something. A super user has the privilege to modify stuff in the OS directory tree so you need to allow the customer or even the updater to be a super user. How do you do that without allowing them to touch stuff you don't want them to?

Re:Serious question

[sky_khan72]

Create an "updatebot" user, give only necessary (filesystem) rights to it, use a daemon running under that account ? Once I wrote something like that to update about a few hundred client machine's php sources which we develop. When there was an update to send clients, i was running a script which checks out release branch sources from scm, package them and uploads to public "distribution" server. It was running fine.

Re:Serious question

> How do you allow for this without [password-based] root access?

Enable SSH access to keys signed by a CA known to the vendor?

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-using_openssh_certificate_authentication

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-creating_ssh_ca_certificate_signing-keys

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-distributing_and_trusting_ssh_ca_public_keys

Then guard that CA cert like you guard the rest of your code signing certs.

Re:Serious question

[gweihir]

Very simple:
1. Pull-only update to be triggered on device side (Incidentally, accessing such a device from outside without explicit permission is a crime, even if it is to patch...)
2. Download with signature check
3. Install

I have pretty much this set-up in a cron job on my Debian servers.

And will Sarsbane-Oxley be applied?

With Sarsbane-Oxley passed years ago, not a single CEO has been held accountable. Yet, this is ANOTHER case where the CEO SHOULD be an MUST be held accountable for allowing their company to produce a clear and dangerous product deficency.

Democrats wanted SO but never use it. Was it just a money grab as people said it was? The answer is : Yes. Another worse law by worthless liberals that costs this country BILLIONS each year. Either repeal S.O. or apply it!

Re:And will Sarsbane-Oxley be applied?

[gweihir]

Your political agenda is misplaced. Because if you look at what the conservatives do, you find it is even worse.

Re:And will Sarsbane-Oxley be applied?

[DogDude]

Dipshit, the CEO shouldn't be held accountable. They're just employees. The OWNERS OF THE COMPANY should be help liable. Unfortunately, the money-grubbing Republicans have, over decades, completely separated corporate ownership from any kind of personal liability.

Oh, and fuck you.

Re:And will Sarsbane-Oxley be applied?

[buchanmilne]

With Sarsbane-Oxley passed years ago, not a single CEO has been held accountable.

But, many CFOs have been, and while ,there isn't evidence that CEOs have been charged:

it forces corporations to be more vigilant about financial reporting at all levels, which is likely one of the reasons there have been few accounting scandals at major public corporations since Sarbanes-Oxley took effect. In that regard, the law is doing what it’s supposed to, encouraging accountability and deterring fraud.

Yet, this is ANOTHER case where the CEO SHOULD be an MUST be held accountable for allowing their company to produce a clear and dangerous product deficency.

Maybe, but no under SOX, as SOX covers fraud, not product deficiencies that haven't been proven to be knowingly fraudulent.

However, this is why I don't use proprietary NAS systems. If I wanted vulnerabilities in code I don't control to affect the security of my data, I would much rather use a public cloud, whose entire business is data security, than appliances from a disk vendor for whom this is a side business, supposedly trading on the insecurity of the cloud and punting the security of their device "because not cloud" where it's still effectively someone else's computer (running code I can't look at).

Why would you buy a NSA drive?

[Grog6]

Isn't the reason you bought private storage that you wanted to keep it private?

It said NSA on the label; Dang!

I use mine mostly to load pee videos, hoping I'll get a job in the current administration; you never know...

 

Re:Why would you buy a NSA drive?

[mark-t]

Not sure if you are trying to be funny or if you misread, but this is about NAS drives, which has nothing to do with the NSA

Re:Why would you buy a NSA drive?

Obviously off-topic, but ZyXEL (a totally different company) makes a line of crappy NAS products called "NSA" like NSA-220, etc.

Firmware 2.30.172 reportedly fixes the bug

meaning the password is changed to "abc12345cba1"

Of course they do

[aaarrrgggh]

Not placing this type of equipment on a dedicated, protected VLAN with no external access and no untrusted internal access was always stupid. Sure, that might not provide bulletproof security, but it is pretty good for my backups.

Re:Of course they do

[Mordaximus]

Not placing this type of equipment on a dedicated, protected VLAN with no external access and no untrusted internal access was always stupid. Sure, that might not provide bulletproof security, but it is pretty good for my backups.

What ratio of consumers of this product know what a VLAN is, or how to configure it? It's stupid to assume the user knows any better. The consumer has a reasonable expectation that if they are sold a "secure" product, it is actually secure.

Re:Of course they do

[aaarrrgggh]

Well, it does have "cloud" in the name... so security should not be assumed.

IIRC, the web interface also defaults to no password.

Time to call this gross negligence

[gweihir]

Or intent. All damage done to be paid for by them, triple damages on top and they have to prove it was not their fault to fend that off. Or alternatively, they have to take these back, give a full refund and pay $1000 or 3 times the value for the effort to move the data, whichever is higher. Hard coded passwords are one of the most extreme and most obvious violation of basic security best practices.

As it currently is, absolutely nothing by a bit of bad press will be happening to them and hence they will do nothing.

So thats why my light was blinking all the time

[wakeboarder]

I had a drive like this, I took it down after it appeared to be making transfers in the middle of the night when all of computing equipment was shut off.

joke product, there isn't even a shutdown option

[itsme1234]

I wonder what people are expecting. They aren't treating this seriously, at least on My Cloud Gen 2 (current) there isn't even an option to cleanly shutdown or unmount or mount read-only the main volume. Not even if you enable ssh access (which they warn you not too, for good reason as it is OpenSSH_5.0p1, probably close to 10 years old).

This is not something you don't catch at testing, not something you design later. Anybody who used a computer since windows 95 and has some working neurons will think "hm, I'm supposed to do some tests or write some documentation on this box I have here but now that I'm done how to shut it down. Pull the plug? Nah, can't be.". They probably asked and the well practiced answer from the (inaptly called) Engineering was "just pull the plug on that 8TB ext4 volume, what can go wrong?".

Bad advice

>> make sure your device is updated before reconnecting to the internet.

What a load of very bad advice.
Trusting a company again with such a shitty record of deliberately exposing their users data, and not even aknowledging and explaining the problem, then correcting silently ???
And the author wants to trust them ??? And he gives advice to people to trust them again ??
Thats irresponsible from the author

Yes, 3 or 4

Yes, my money is on 3 or 4 too (too obviously stupid for other things, but then... plausible deniability and things, so I would just bet 3/4 of my farm).

But this:
    "it was disclosed to Western Digital six months ago and the company did nothing."

should definitely put someone higher up in jail, if it's true. It signals a major failure in corporate culture.

Amazing Content

I feel glad to stumble upon this content. i have written a blog on Laravel PHP framework click more to read more http://micrasystems.com/laravel-development-company/

WD and Seagate scores lowest on quality

as well, when it comes to their hard drives. Have a look at Backblaze's benchmarks and notice the dramatic difference in lifelength and quality on drives compared to Toshiba and Hitachi/HGST. If you're looking for a new drive, this is just another reason to stay away from WD (and Seagate).

Re:WD and Seagate scores lowest on quality

[pnutjam]

yeah, but even backblaze says their prices still make them competitive.

Re: Untrue!

You can live in a shack in the woods like Ted Kaczynski. It only took the FBI two weeks to plant the third typewriter that turned out to "prove" he was the Unibomber, the other two they first found brought out not matches for crazy letters (but just forget about that, youre TOTALLY free to go live alone in the woods bro!).

Calm Down and adjust your tinfoil hat.

[DarthVain]

I am not in the least surprised. This isn't anything malicious, or nefarious. I'm almost certain that this was implemented intentionally for user support purposes.

Users forgot their credentials all the time. If there is no backdoor, all their data is lost. Likely someone ran the risk matrix and determined it was better to have a backdoor that could provide access to users (likely support staff to go in and reset users password), than to have a bunch of angry users losing all their data all the time. Anyone that has worked in IT for any period of time will know that this issue is constant and likely the most numerous reason for support calls.

Further, if you're using a commercial WD Cloud NAS, you aren't holding the nuclear codes or any kind of of industrial secrets in there. At worst, there will be a lot of personal information you might not like out in the wild. Considering a user could presumably also further encrypt their data on said NAS if they really wanted to, if they were really storing something sensitive really puts it back onto the user. I wouldn't be surprised that somewhere buried in the WD cloud EULA all of this is explained and indemnified for WD.

The only thing I find a bit surprising is the half-assed way it was seemingly implemented. "The username is "mydlinkBRionyg" and the password is "abc12345cba"? Really? That is just lazy. They could have at least made the method a bit more difficult or at least came up with a username/password that wasn't something a 8 year old would come up with...

Re:Calm Down and adjust your tinfoil hat.

You would be surprised how much important data are stored on cheap consumer stuff due to person x put it there because it was more convenient or person x put the stuff on device y that at some point backed up to cheap consumer device z.

Firewalls.

[Hylandr]

This is a strong argument for PFSense, Smoothwall, or Falcongate

are backdoors ever used legitimately?

[morethanapapercert]

I seem to recall several scandals of this nature over the years. Routers, backup appliances, firewall appliances (!), cable modems, the list goes on. It wouldn't surprise me in the least to learn that some of the Smart Home hubs on the market today have similar deliberate security flaws. My question goes out to all the slashdotters who are in an I.T. support or admin role or who are on the design team for any internet capable device.

Have these deliberately crafted backdoors ever had much legitimate use? Bear in mind I'm not talking about devices that go into a special access mode when physical buttons are pressed. (like some printers and copiers IIRC). I understand the reasoning that it gives a simple way for the call centre support folks to gain access to their companies devices so they can reset the machine. But as far as I know, this capability is never given to the call centre staff, not even at the tier 2 or higher levels. And I don't think it can be justified from a pre-release unit testing POV either, since the same function could be provided by switching a jumper, enabling a wire trace or plugging into a serial port inside the device, all methods easy enough to disable when the device goes into full production. (and all require physical access to the device anyway, so the security risk is minimal)

I used to work in a call centre, providing support for a US Internet provider. For DOCSIS 2.0 and higher modems, there are some things the support staff could do remotely, but all of them required knowing the serial # for the device. In most markets, that info was not found in the customers file, we had to ask the customer to read it to us from a label on the bottom or back of the modem. Entering the serial number in a tool we had led to a query against the ISP database and provided the MAC and from there we could perform a subset of functions. Anything major though required it go to depot where a technician could connect to the serial port inside the modem case. I see no reason why the same strategy couldn't be used for routers, printers et al.

Doesn't sound like a backdoor so much as ...

... something someone coded for unit testing and forgot to mark as debug only, so it was included in the production build.

If WD or the NSA wanted to deliberately put in a backdoor, even they wouldn't be stupid enough to use that username and password combo. Or, would they?

I didn't think anyone would get it, lol.

[Grog6]

Facebook has killed critical thinking. :)