Slashdot Mirror

← Back to Stories (view on slashdot.org)

Western Digital 'My Cloud' Devices Have a Hardcoded Backdoor (betanews.com)

Posted by BeauHD on from the public-service-announcement dept.

BrianFagioli shares a report from BetaNews: Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital MyCloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files are at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing. GulfTech Research and Development explains, "The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc." The My Cloud Storage devices affected by this backdoor include: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Firmware 2.30.172 reportedly fixes the bug, so make sure your device is updated before reconnecting to the internet.

3 of 160 comments (clear)

  1. Standard procedure by Anonymous Coward · · Score: 2, Informative

    Whenever I buy a new external drive the first thing I do is repartition it to get rid of whatever shitty software they included and reformat it.

  2. 2018 by santax · · Score: 3, Informative

    How can it be possible that a big company like Western Digital constructs a backdoor to your personal data? Such a company - and it's owners - should shut down, prosecuted and put behind bars for many - many - years... This is not an accident. This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data. I for one will never buy another device from Western. Who knows what they have done to the IC's in their harddisks to provide access to my data. I can not look into a chip and they know that!

    1. Re:2018 by Anonymous Coward · · Score: 3, Informative

      I'll tell you exactly how it got there: firmware and software development for consumer garbage like this is outsourced to the deepest, darkest bowels of China and India. The code is copied and pasted from the last project, or open source stuff is smashed together until it basically works and they ship it. In this particular case, maybe it was a convenience during development, or maybe there was an organized plan to take advantage of dumb (American) consumers who would never know any better.

      Welcome to the future of embedded software development. Unless there is some way to make legal liability stick to the companies who are treating it like unimportant scut work to be sent to the lowest bidder.