Slashdot Mirror
Western Digital 'My Cloud' Devices Have a Hardcoded Backdoor (betanews.com)
BrianFagioli shares a report from BetaNews: Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital MyCloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files are at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing. GulfTech Research and Development explains, "The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc." The My Cloud Storage devices affected by this backdoor include: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Firmware 2.30.172 reportedly fixes the bug, so make sure your device is updated before reconnecting to the internet.
...it was disclosed to Western Digital six months ago and the company did nothing.
Firmware 2.30.172 reportedly fixes the bug...
Also, I don't think releasing a firmware update is doing nothing.
SIG FAULT: Post index out of bounds.
... the company apparently did nothing until November 2017.
SIG FAULT: Post index out of bounds.
How can it be possible that a big company like Western Digital constructs a backdoor to your personal data? Such a company - and it's owners - should shut down, prosecuted and put behind bars for many - many - years... This is not an accident. This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data. I for one will never buy another device from Western. Who knows what they have done to the IC's in their harddisks to provide access to my data. I can not look into a chip and they know that!
It's a massive screwup, though we don't really know how it got there yet, a few quick scenarios are:
1) It could have been a deliberate backdoor for WD, the government, etc, that was sanctioned by the highest levels of the company, but this seems quite unlikely.
2) It could be a malicious employee (or even outside attacker) who introduced the backdoor for their own purposes.
3) An individual or team who didn't know any better put it there.
4) An individual or team added it for testing purposes, and people forget and never pulled it out.
My money would be on 3 or 4, reading the advisory from the security researcher it sounds like there was a lot of sloppiness in the WD code.
It sounds like it was inherited from another WD product that got patched in 2014 (but the patch was never ported to this device) so my money is on crappy software processes.
I stole this Sig
They probably didn't construct it - a low-bidder did.
"Brian" Y.G. reused the same code he did for the D-Link job, if one had to venture a guess.
That tells you something about WD's quality.
That they found out about this six months ago tells you something about their responsibility. It's actions like these that make class action attorneys drool while they mumble "willful negligence". It's cheaper to fix the code, IMO.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
When I entered the username, "mydlinkBRionyg" (without the quotes), the text box had an "X" in it, saying, "Only administrator users are allowed."
Please tell me their "fix" wasn't a JavaScript block to prevent you from entering the password for that user.
How can it be possible that a big company like Western Digital constructs a backdoor to your personal data? Such a company - and it's owners - should shut down, prosecuted and put behind bars for many - many - years... This is not an accident. This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data. I for one will never buy another device from Western. Who knows what they have done to the IC's in their harddisks to provide access to my data. I can not look into a chip and they know that!
Western Digital knows you opinion represents less than 1% of their current customer base. You mean less to them than the corporate coffee clerk being accused of sexual assault, which means they're not going to think twice about re-installing backdoors into their products if it provides them even the slightest benefit.
Consumers simply don't give a shit. Firmware update a storage device? That will never happen across 90% of deployed product unless Western Digital does it themselves in a fully automated manner.
Hard coded means written into the software as opposed to being user configurable. So the author is correct and you were wrong.
Hardcoded is why it takes a firmware update to change it rather than go to setup page x and uncheck the box next to "big security hole".