Slashdot Mirror

← Back to Stories (view on slashdot.org)

Western Digital 'My Cloud' Devices Have a Hardcoded Backdoor (betanews.com)

Posted by BeauHD on from the public-service-announcement dept.

BrianFagioli shares a report from BetaNews: Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital MyCloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files are at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing. GulfTech Research and Development explains, "The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc." The My Cloud Storage devices affected by this backdoor include: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Firmware 2.30.172 reportedly fixes the bug, so make sure your device is updated before reconnecting to the internet.

31 of 160 comments (clear)

  1. predictable default hostnames by perpenso · · Score: 3, Funny

    ... using one of the many predictable default hostnames ...

    Good thing I renamed mine to "FutureCorruptedBackup" ;-)

  2. Re:12345? by perpenso · · Score: 2, Funny

    12345? That's the same combination as my luggage!

    Per TSA regulations :-)

  3. Standard procedure by Anonymous Coward · · Score: 2, Informative

    Whenever I buy a new external drive the first thing I do is repartition it to get rid of whatever shitty software they included and reformat it.

    1. Re:Standard procedure by wierd_w · · Score: 2

      You TOTALLY CAN do that on the MyCloud.

      The boot loader looks for an unsigned kernel and initrd on a specific partition, formatted as FAT32, with a specific file name.

      You can bake your own and put it on the drive, and the mycloud will boot that image and initrd without complaints.

      In the community pages, we have been working on a straight up clean debian for quite some time. There are instructions on how to configure and compile your own kernel from the stock device tree.

  4. 2018 by santax · · Score: 3, Informative

    How can it be possible that a big company like Western Digital constructs a backdoor to your personal data? Such a company - and it's owners - should shut down, prosecuted and put behind bars for many - many - years... This is not an accident. This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data. I for one will never buy another device from Western. Who knows what they have done to the IC's in their harddisks to provide access to my data. I can not look into a chip and they know that!

    1. Re:2018 by Baron_Yam · · Score: 2

      >How can it be possible that a big company like Western Digital constructs a backdoor to your personal data?

      It's not unheard of for companies to do this on consumer devices, for technical support to assist people who lock themselves out of devices and don't want to lose data. Up until now I'd only ever seen it in rebranded modems bundled with DSL service, but for a while it was difficult to avoid.

      I agree it was never a good idea, and nowadays it should be considered criminal.

    2. Re:2018 by quantaman · · Score: 5, Insightful

      How can it be possible that a big company like Western Digital constructs a backdoor to your personal data? Such a company - and it's owners - should shut down, prosecuted and put behind bars for many - many - years... This is not an accident. This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data. I for one will never buy another device from Western. Who knows what they have done to the IC's in their harddisks to provide access to my data. I can not look into a chip and they know that!

      It's a massive screwup, though we don't really know how it got there yet, a few quick scenarios are:
      1) It could have been a deliberate backdoor for WD, the government, etc, that was sanctioned by the highest levels of the company, but this seems quite unlikely.
      2) It could be a malicious employee (or even outside attacker) who introduced the backdoor for their own purposes.
      3) An individual or team who didn't know any better put it there.
      4) An individual or team added it for testing purposes, and people forget and never pulled it out.

      My money would be on 3 or 4, reading the advisory from the security researcher it sounds like there was a lot of sloppiness in the WD code.

      It sounds like it was inherited from another WD product that got patched in 2014 (but the patch was never ported to this device) so my money is on crappy software processes.

      --
      I stole this Sig
    3. Re:2018 by bill_mcgonigle · · Score: 4, Insightful

      They probably didn't construct it - a low-bidder did.

      "Brian" Y.G. reused the same code he did for the D-Link job, if one had to venture a guess.

      That tells you something about WD's quality.

      That they found out about this six months ago tells you something about their responsibility. It's actions like these that make class action attorneys drool while they mumble "willful negligence". It's cheaper to fix the code, IMO.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    4. Re:2018 by Anonymous Coward · · Score: 3, Informative

      I'll tell you exactly how it got there: firmware and software development for consumer garbage like this is outsourced to the deepest, darkest bowels of China and India. The code is copied and pasted from the last project, or open source stuff is smashed together until it basically works and they ship it. In this particular case, maybe it was a convenience during development, or maybe there was an organized plan to take advantage of dumb (American) consumers who would never know any better.

      Welcome to the future of embedded software development. Unless there is some way to make legal liability stick to the companies who are treating it like unimportant scut work to be sent to the lowest bidder.

    5. Re:2018 by mikael · · Score: 3, Interesting

      Look at the string "dlink". I had a laptop (Sony Viao) that would spontaneously connect to a DLink router somewhere elsewhere in our neighborhood. By spontaneously connect, I mean wi-fi was disabled by the Linux GUI options, only to see the laptop connect spontaneously to a DLink router. Because the case of the laptop was used as the wi-fi antennae, it had 100 meters range.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    6. Re:2018 by geekmux · · Score: 3, Insightful

      How can it be possible that a big company like Western Digital constructs a backdoor to your personal data? Such a company - and it's owners - should shut down, prosecuted and put behind bars for many - many - years... This is not an accident. This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data. I for one will never buy another device from Western. Who knows what they have done to the IC's in their harddisks to provide access to my data. I can not look into a chip and they know that!

      Western Digital knows you opinion represents less than 1% of their current customer base. You mean less to them than the corporate coffee clerk being accused of sexual assault, which means they're not going to think twice about re-installing backdoors into their products if it provides them even the slightest benefit.

      Consumers simply don't give a shit. Firmware update a storage device? That will never happen across 90% of deployed product unless Western Digital does it themselves in a fully automated manner.

    7. Re:2018 by swb · · Score: 3, Interesting

      I think this is the best answer. I doubt "Western Digital" had much to do with the actual software development. They probably had some web designer approve the user interface look and feel for compliance to their design standards and the rest was done who knows where.

      The downside to open source software seems to be the ease at which it allows multinationals to buy the cheapest software possible without actually having to invest much at all in software development, all they need is someplace minimally competent to glue together a bunch of open source components.

    8. Re:2018 by coofercat · · Score: 2

      1) Team A write version 1.0 of firmware for product X. Along the way, they put some hard-coded credentials in for testing.
      2) Team B is tasked to work on firmware for product Y. They fork X1.0 as a starting point (possibly without clearly stating they are doing this to Team A, so Team A isn't really aware of their existence)
      3) Team A fixes the issue in their code, makes 1.1 for product X. The uptake of the firmware by the public is 10% of the install base.
      4) Poor internal communication, and the lack of urgency created by the poor up-take of the new firmware means Team B never hears about the update.
      5) Team B produces 1.0 for product Y.
      6) Product Y sells like hot-cakes, far eclipsing product X.

      I don't know where you've worked, or for how long, but (4) seems to happen just about anywhere larger than a few hundred people. 'Commercial pressures' mean that Team B never really spend any time reviewing the code they inherited, and it's also possible Team B are the outsource, or the junior folks because they're only 'tweaking the code' for the new product, not writing low-level code from scratch.

      I'll bet this sort of chain of events happens all over the place ("Team A" could be library or framwork writers, not just product folks). It probably doesn't 'leak' security problems every time though.

  5. WD is not what it used to be by LeftCoastThinker · · Score: 2

    I was a fan of WD for a long time, I even had a couple of their NAS My Book Live drives, which were quite nice for the price and were accessible directly over the LAN, but the new "My Cloud" drives require crappy software to work and require to always be online to work, both deal killers for me. These days I only buy HGST drives (yes, I know WD owns them, but they are still made by a different group).

    --
    If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
  6. Re:"Hardcoded"? by Jake+Griffin · · Score: 4, Insightful

    ...it was disclosed to Western Digital six months ago and the company did nothing.

    Firmware 2.30.172 reportedly fixes the bug...

    Also, I don't think releasing a firmware update is doing nothing.

    --
    SIG FAULT: Post index out of bounds.
  7. Re:WD did nothing! by Swave+An+deBwoner · · Score: 2

    Firmware Release 2.30.172 (11/16/2017)

    So, OK, June 16 to November 16 is only 5 months.

    But their release notes don't even mention the severity of the problem and the importance of installing the updated firmware!

  8. Re:WD did nothing! by Jake+Griffin · · Score: 2

    That was what I came here to point out. Their release notes even state that it resolves "critical security vulnerabilities" - https://community.wd.com/t/2-3...

    --
    SIG FAULT: Post index out of bounds.
  9. Re:WD did nothing! by Jake+Griffin · · Score: 4, Insightful
    Just read TFA... the summary cut off a critical piece of information. TFA states:

    ... the company apparently did nothing until November 2017.

    --
    SIG FAULT: Post index out of bounds.
  10. Re: 12345? by Khyber · · Score: 2

    Nah. Always Be Careful... 12345... Can't Be Assed.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  11. I tried this ... by CaptainDork · · Score: 3, Interesting

    ... on my "WD Mycloud" wireless device that I purchased last year.

    When I entered the username, "mydlinkBRionyg" (without the quotes), the text box had an "X" in it, saying, "Only administrator users are allowed."

    I checked the firmware version and it does have the latest (2.30.172).

    I do not allow access from outside the local LAN and I have to log in as Admin and enable "Share" in order to map a drive.

    I leave Share activated only during the short period of time that it takes to copy files to/from the divice and then I disable Share again.

    I'm hoping that "offline" condition protects me from intruders.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re: I tried this ... by LordKronos · · Score: 4, Insightful

      When I entered the username, "mydlinkBRionyg" (without the quotes), the text box had an "X" in it, saying, "Only administrator users are allowed."

      Please tell me their "fix" wasn't a JavaScript block to prevent you from entering the password for that user.

  12. Jagger said it best by alvinrod · · Score: 3, Funny

    Jagger said it best: "Hey! You! Get off of my cloud!"

  13. Re:"Hardcoded"? by fisted · · Score: 3

    "Bug"? Yeah, me neither.

    As for "hardcoded", I don't think the word means what you think it means.

    --
    CLI paste? paste.pr0.tips!
  14. Re:12345? by Ackmo · · Score: 5, Funny

    Tha movie you're referencing came out 31 years ago. Your age is showing.

    I'm shocked - shocked! - to find that old movie references are going on in here!

  15. Re: 12345? by JustOK · · Score: 2

    Michael Jackson's BEST movie, IMHO

    --
    rewriting history since 2109
  16. Serious question by RogueWarrior65 · · Score: 2

    So, let's say you're designing a Linux-based embedded system and you want to be able to make modifications and upgrades to the OS in the field. How do you allow for this without root access? And so what if the root user has a password? If you have to give that to a customer to perform these upgrades, that password is no longer secure.

  17. And will Sarsbane-Oxley be applied? by Anonymous Coward · · Score: 2, Interesting

    With Sarsbane-Oxley passed years ago, not a single CEO has been held accountable. Yet, this is ANOTHER case where the CEO SHOULD be an MUST be held accountable for allowing their company to produce a clear and dangerous product deficency.

    Democrats wanted SO but never use it. Was it just a money grab as people said it was? The answer is : Yes. Another worse law by worthless liberals that costs this country BILLIONS each year. Either repeal S.O. or apply it!

  18. joke product, there isn't even a shutdown option by itsme1234 · · Score: 3, Interesting

    I wonder what people are expecting. They aren't treating this seriously, at least on My Cloud Gen 2 (current) there isn't even an option to cleanly shutdown or unmount or mount read-only the main volume. Not even if you enable ssh access (which they warn you not too, for good reason as it is OpenSSH_5.0p1, probably close to 10 years old).

    This is not something you don't catch at testing, not something you design later. Anybody who used a computer since windows 95 and has some working neurons will think "hm, I'm supposed to do some tests or write some documentation on this box I have here but now that I'm done how to shut it down. Pull the plug? Nah, can't be.". They probably asked and the well practiced answer from the (inaptly called) Engineering was "just pull the plug on that 8TB ext4 volume, what can go wrong?".

  19. Re:12345? by elgatozorbas · · Score: 2

    Your karma, Sir.

  20. Re:"Hardcoded"? by sjames · · Score: 3, Insightful

    Hard coded means written into the software as opposed to being user configurable. So the author is correct and you were wrong.

    Hardcoded is why it takes a firmware update to change it rather than go to setup page x and uncheck the box next to "big security hole".

  21. Calm Down and adjust your tinfoil hat. by DarthVain · · Score: 2

    I am not in the least surprised. This isn't anything malicious, or nefarious. I'm almost certain that this was implemented intentionally for user support purposes.

    Users forgot their credentials all the time. If there is no backdoor, all their data is lost. Likely someone ran the risk matrix and determined it was better to have a backdoor that could provide access to users (likely support staff to go in and reset users password), than to have a bunch of angry users losing all their data all the time. Anyone that has worked in IT for any period of time will know that this issue is constant and likely the most numerous reason for support calls.

    Further, if you're using a commercial WD Cloud NAS, you aren't holding the nuclear codes or any kind of of industrial secrets in there. At worst, there will be a lot of personal information you might not like out in the wild. Considering a user could presumably also further encrypt their data on said NAS if they really wanted to, if they were really storing something sensitive really puts it back onto the user. I wouldn't be surprised that somewhere buried in the WD cloud EULA all of this is explained and indemnified for WD.

    The only thing I find a bit surprising is the half-assed way it was seemingly implemented. "The username is "mydlinkBRionyg" and the password is "abc12345cba"? Really? That is just lazy. They could have at least made the method a bit more difficult or at least came up with a username/password that wasn't something a 8 year old would come up with...