The WD My Cloud line has been found to be vulnerable to multiple attacks and while one bug was fixed, other ones were introduced. That is the bad news and the maybe worse news is, that the flaws are public knowledge now. With that in mind, you might want to kill the internet connection to your WD My Cloud device, if you have one running.
Exploitee.rs discovered a number of unpatched security flaws in Western Digital’s My Cloud models that let remote intruders bypass the login system altogether, insert their own commands, and upload files without any permissions at all. Those are some serious flaws.
The reason that the researchers went public with their findings right away instead of reporting them back to WD is that WD has a very bad reputation in that regard. For example, the vendor won a “Pwnie for Lamest Vendor Response” at the last BlackHat conference in Vegas in a situation where the vendor ignored the severity of a set of bugs reported to them. By going public with the information, Exploitee.r hopes to force WD to react and patch the flaws.
While forcing WD’s hand, the researchers also put users are at risk until the flaws are patched. So it is highly recommended that you disconnect any of these devices from the Internet. They’ll still be vulnerable locally through your ethernet connections, but that is a lot harder for hackers to gain access to.
The full blog post goes into details on how to reproduce and exploit the hack through the web interface’s source code, and it also explains why it’s possible. In short, bad coding skills and misuse of commands. There is even a demo video on YouTube which shows you how it is done. The scary part is how easy it is. Now we only can hope that WD patches these issues as soon as possible.
Most, if not all, of the research, can be applied to the entire series of Western Digital My Cloud products. This includes the following devices:
And number of bugs found in total is the scariest part:
I've got a few GameSir controllers in my extensive assortment of peripherals, as they're perfect…
Sharkoon has just revealed their latest mini-ITX PC case, and it looks set to be…
Final Fantasy 16 has taken a fresh approach to draw in both younger audiences and…
Lamptron, a known entity in the PC cooling market, has been caught selling counterfeit keys…
Samsung is gearing up for a significant leap in solid state drive (SSD) technology with…
Thanks to a very detailed report by The Verge the highly anticipated PlayStation 5 Pro…