Western Digital 'My Cloud' Devices Have a Hardcoded Backdoor

BrianFagioli shares a report from BetaNews: Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital MyCloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files are at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing. GulfTech Research and Development explains, "The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc." The My Cloud Storage devices affected by this backdoor include: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Firmware 2.30.172 reportedly fixes the bug, so make sure your device is updated before reconnecting to the internet.

I tried this ...

[CaptainDork]

... on my "WD Mycloud" wireless device that I purchased last year.

When I entered the username, "mydlinkBRionyg" (without the quotes), the text box had an "X" in it, saying, "Only administrator users are allowed."

I checked the firmware version and it does have the latest (2.30.172).

I do not allow access from outside the local LAN and I have to log in as Admin and enable "Share" in order to map a drive.

I leave Share activated only during the short period of time that it takes to copy files to/from the divice and then I disable Share again.

I'm hoping that "offline" condition protects me from intruders.

Re:2018

[mikael]

Look at the string "dlink". I had a laptop (Sony Viao) that would spontaneously connect to a DLink router somewhere elsewhere in our neighborhood. By spontaneously connect, I mean wi-fi was disabled by the Linux GUI options, only to see the laptop connect spontaneously to a DLink router. Because the case of the laptop was used as the wi-fi antennae, it had 100 meters range.

And will Sarsbane-Oxley be applied?

With Sarsbane-Oxley passed years ago, not a single CEO has been held accountable. Yet, this is ANOTHER case where the CEO SHOULD be an MUST be held accountable for allowing their company to produce a clear and dangerous product deficency.

Democrats wanted SO but never use it. Was it just a money grab as people said it was? The answer is : Yes. Another worse law by worthless liberals that costs this country BILLIONS each year. Either repeal S.O. or apply it!

joke product, there isn't even a shutdown option

[itsme1234]

I wonder what people are expecting. They aren't treating this seriously, at least on My Cloud Gen 2 (current) there isn't even an option to cleanly shutdown or unmount or mount read-only the main volume. Not even if you enable ssh access (which they warn you not too, for good reason as it is OpenSSH_5.0p1, probably close to 10 years old).

This is not something you don't catch at testing, not something you design later. Anybody who used a computer since windows 95 and has some working neurons will think "hm, I'm supposed to do some tests or write some documentation on this box I have here but now that I'm done how to shut it down. Pull the plug? Nah, can't be.". They probably asked and the well practiced answer from the (inaptly called) Engineering was "just pull the plug on that 8TB ext4 volume, what can go wrong?".

Re:2018

[swb]

I think this is the best answer. I doubt "Western Digital" had much to do with the actual software development. They probably had some web designer approve the user interface look and feel for compliance to their design standards and the rest was done who knows where.

The downside to open source software seems to be the ease at which it allows multinationals to buy the cheapest software possible without actually having to invest much at all in software development, all they need is someplace minimally competent to glue together a bunch of open source components.