Thursday, January 5th 2017

Western Digital Ships "Someone's Backdoor" With My Cloud Drives

Western Digital has seemingly been shipping their My Cloud personal network attached storage solutions with an integrated backdoor. It's not really that complicated a backdoor either - a malicious user should always be able to use it. That stems from the fact that it's a hard coded backdoor with unchangeable credentials - logging in to someone's My Cloud is as simple as inputing "mydlinkBRionyg" as the Administrator username and "abc12345cba" as the respective password. Once logged in, shell access is unlocked, which allows for easy injection of commands.

The backdoor has been published by James Bercegay, with GulfTech Research and Development, and was disclosed to Western Digital on June 12th 2017. However, since more than 6 months have passed with no patch or solution having been deployed, the researchers disclosed and published the vulnerability, which should (should) finally prompt WD to action on fixing the issue. Making things even worse, no user action is required to enable attackers to take advantage of the exploit - simply visiting malicious websites can leave the drives wide open for exploit - and the outing of a Metasploit module for this very vulnerability means that the code is now out there, and Western Digital has a race in its hands. The thing is, it needn't have.
Exploitable models of Western Digital's MyCloud devices include My Cloud Gen 2, My Cloud EX2, My Cloud EX2 Ultra, My Cloud PR2100, My Cloud PR4100, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100. Needless to say, until a patch is issued, the best thing to do is to thoroughly disconnect these drives from your local area network and Internet access. But that isn't what users originally bought these drives for, now is it, WD?
Sources: GulfTech.org, via TechSpot, Packet Storm Security
Add your own comment

17 Comments on Western Digital Ships "Someone's Backdoor" With My Cloud Drives

#1
newtekie1
Semi-Retired Folder
It's a sad thing that WD has known about this issue for 6 months and not bothered to address it. But I also know that the fix for it would be a firmware update that most users probably wouldn't even bother to install...
Posted on Reply
#2
ShurikN
They had 6 months to fix this and couldn't/wouldn't.
What the hell WD...
Posted on Reply
#3
eidairaman1
The Exiled Airman
Backdoors should only be accessible by the end user and only enabled by them for troubleshhoting with technical support, and only commanded to do so by them. Once technical support is finished they should shut it and lock it. It should not be able to be opened externally whether is the company that made the device or criminals/terrorists. And it should by default not be open at all but shut and locked.
Posted on Reply
#4
Octavean
These are not the best products overall. a Q-NAP or Synology is a far better option in most if not all cases. The WD MyCloud Linux interface is abysmal. Such security related issues are inexcusable especially so if they went unpatched for so long and are now publicly known.
Posted on Reply
#5
RejZoR
When I buy any storage device, the first thing I always do is format the thing. I don't trust or need any apps that come with it.
Posted on Reply
#6
newtekie1
Semi-Retired Folder
RejZoR said:
When I buy any storage device, the first thing I always do is format the thing. I don't trust or need any apps that come with it.
And that would do nothing for this exploit.
Posted on Reply
#7
syrup
"Exploiting this issue to gain a remote shell as root is a rather trivial process" says the advisory.

So it's basically a set of critical vulnerabilities that leave the devices open to remote exploit, which WD were told about six months ago, and they did nothing?

Oh well. We'll all have forgotten about it in a week.
Posted on Reply
#8
xkm1948
Cloud this, connection that. Some people working in IT thinking "connect everything" is a good idea. Hell no. Take a page from nature. Evolution over billions of years have given us some of the finest example of logical coding. You don't have to dig deep to see that organisms have gone to pretty extreme extent to block direct coding exchange. Connect everything is a bad, it just leaves the entire connected system vulnerable to a wipe-out scale attack. I would never trust or use cloud.
Posted on Reply
#9
newtekie1
Semi-Retired Folder
syrup said:
"Exploiting this issue to gain a remote shell as root is a rather trivial process" says the advisory.

So it's basically a set of critical vulnerabilities that leave the devices open to remote exploit, which WD were told about six months ago, and they did nothing?

Oh well. We'll all have forgotten about it in a week.
Here is the interesting thing, I don't even think Western Digital knows how to fix the problem. The reason being that they obvious get their hardware, and firmware, from Dlink(hence the exploit username being mydlinkBRionyg). So they likely rely entirely on dlink to provide the firmware for these devices, and dlink just skins their firmware with WD branding. So WD has to rely on Dlink to fix the problem. However, Dlink is notorious bad at fixing security vulnerabilities with their products. So bad, in fact, that the FTC sued them early last year for failing to fix security problems with their routers, IP cameras, and NAS devices.
Posted on Reply
#11
TheGuruStud
Joke's on them. I yank the drive and trash the enclosure (even if I'm going to use it as an external).
Posted on Reply
#12
newtekie1
Semi-Retired Folder
bug said:
Boy am I glad now Chrome has a built in API for websites to access USB devices (https://developer.chrome.com/apps/usb). /s
TheGuruStud said:
Joke's on them. I yank the drive and trash the enclosure (even if I'm going to use it as an external).
What part of Network Attached Storage is hard to understand? This has nothing to do with their USB external drives.
Posted on Reply
#13
TheGuruStud
newtekie1 said:
What part of Network Attached Storage is hard to understand? This has nothing to do with their USB external drives.
Oh, I'm betting those have one, too (for data mining). Have you seen the garbage on them? And tricking dummies into installing the backup software.

The NAS ones do come in single cheapos, too. That's the reason for buying the WDs. They're super cheap on clearance.
Posted on Reply
#14
newtekie1
Semi-Retired Folder
TheGuruStud said:
Oh, I'm betting those have one, too (for data mining). Have you seen the garbage on them? And tricking dummies into installing the backup software.

The NAS ones do come in single cheapos, too. That's the reason for buying the WDs. They're super cheap on clearance.
No, the USB ones don't have a backdoor. Because they don't have a WebGUI. The software that the users install might have a backdoor, but the unit itself does not. If you just use it as a normal drive and never install any of the WD software, you have nothing to worry about.

The single units usually aren't that cheap though, unless they are refurbished, and I wouldn't trust my data on a refurbished hard drive if WD was paying me to use the drive. And even the refurbished My Cloud drives aren't usually cheap enough to warrant buying just to shuck. The 4TB MyCloud refurbished is $150. You can get a brand new 4TB hard drive for $100. I've never seen a NAS unit on sale for cheap enough to buy just to shuck.
Posted on Reply
#15
bug
newtekie1 said:
What part of Network Attached Storage is hard to understand? This has nothing to do with their USB external drives.
My bad, I thought "My Cloud" is the name of the admin software, not their line of NAS hardware.
Posted on Reply
#16
lexluthermiester
xkm1948 said:
Cloud this, connection that. Some people working in IT thinking "connect everything" is a good idea. Hell no. Take a page from nature. Evolution over billions of years have given us some of the finest example of logical coding. You don't have to dig deep to see that organisms have gone to pretty extreme extent to block direct coding exchange. Connect everything is a bad, it just leaves the entire connected system vulnerable to a wipe-out scale attack. I would never trust or use cloud.
Right there with you. I never connect anything to the internet unless it is absolutely needed. It's also why I have two different networks in my house, one of them completely isolated from the internet. So in my house, this vulnerability would be a non-issue.
Posted on Reply
#17
Octavean
Right there is the WD My Book line of drives which are USB and can be quite cheap. I have bought a number of WD My Book USB and WD EasyStore USB drives at 8TB for ~$159. I also bought a WD MyBook Duo 16TB which had 2x 8TB drives. All were WD Red 8TB drives. The MyBook Duo drives themselves are under warranty in or out of the enclosure.

Then there are the WD MyCloud line of products which are NAS units. They come in single drive, dual drive and quad drive models. I bought a WD MyCloud EX2 (discless, as in no included drives) a while back and I wasn’t impressed with it. The WD interface software (Linux OS) implementation is extremely weak. One of the worst I’ve ever seen. If it is actually coming from D-Link then fine but but no matter what it’s not something you’ll likely want to use even if this security related issue were not a problem. I took my WD MyCloud EX2 offline long ago and upgraded to a Synology I bay model. I’m thinking of upgrading again to a QNAP 12 or 16 bay sometime this year.

Maybe something in the QNAP TVS-1282 line so it can double as a NAS and a DAS.
Posted on Reply
Add your own comment