Western Digital My Cloud drives have a built-in backdoor

G

Greg S

Posts: 1,607   +442

Western Digital's network attached storage solutions have a newfound vulnerability allowing for unrestricted root access.

James Bercegay disclosed the vulnerability to Western Digital in mid-2017. After allowing six months to pass, the full details and proof-of-concept exploit have been published. No fix has been issued to date.

More troubling is the existence of a hard coded backdoor with credentials that cannot be changed. Logging in to Western Digital My Cloud services can be done by anybody using "mydlinkBRionyg" as the administrator username and "abc12345cba" as the password. Once logged in, shell access is readily available followed with plenty of opportunity for injection of commands.

Owners of Western Digital NAS drives are not safe on local area networks, either. Specially crafted HTML image and iFrame tags can be used on websites to make requests to devices on a local network using predictable host names. No user interaction is required other than visiting a malicious webpage.

Affected models include My Cloud Gen 2, My Cloud EX2, My Cloud EX2 Ultra, My Cloud PR2100, My Cloud PR4100, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100. A Metasploit module has also been publicly released, making is very easy for almost anyone to take advantage of Western Digital drives.

It is advised to disconnect any affected drives from your local area network and block it from having Internet access until a patch can be issued.

Permalink to story.

https://www.techspot.com/news/72612-western-digital-cloud-drives-have-built-backdoor.html

 
I was not able to log in to my supposedly affected device (My Cloud EX2 Ultra) using these credentials through the web log-in portal. Can anyone confirm this exploit is real? There is no discussion about it in the WD Community boards. I noticed this exploit is also posted for a DLink device. Thanks
 
etherc said:
I was not able to log in to my supposedly affected device (My Cloud EX2 Ultra) using these credentials through the web log-in portal. Can anyone confirm this exploit is real? There is no discussion about it in the WD Community boards. I noticed this exploit is also posted for a DLink device. Thanks
Click to expand...

See the "full details" link above in the article. Thankfully it's not a matter of simply entering the credentials at the regular login prompt. There is a process to go through to use the mentioned credentials.
 
This is Kind of like the Twonky server that comes on all old devices. I found this when I got Win 8 and it had my device with port 9000 open in "My Computer". I opened the web page and saw this new interface. I looked through the photos and they were not mine!!! I went ahead and locked it down with a new admin user and password and deleted all the old crap. I was like O man this sucks. It is a DLNA Flaw. Watch out. You can find it by going to your cloud (IP address:9000) in any browser.
 
This issue did exist but they fixed it with a firmware update for all affected devices, in November last year.

Just ensure you have the latest firmware and you are all good. You most certainly do not have to remove the network connections.
 
  • Like
Reactions: lostinlodos
etherc said:
I was not able to log in to my supposedly affected device (My Cloud EX2 Ultra) using these credentials through the web log-in portal. Can anyone confirm this exploit is real? There is no discussion about it in the WD Community boards. I noticed this exploit is also posted for a DLink device. Thanks
Click to expand...
This is real, or at least it was until November last year. Western Digital released a firmware update fixing all exploits and vulnerabilities.
It was an SMB exploit that enabled unauthorised access to shares.
 
  • Like
Reactions: lostinlodos
Anubhav K said:
etherc said:
I was not able to log in to my supposedly affected device (My Cloud EX2 Ultra) using these credentials through the web log-in portal. Can anyone confirm this exploit is real? There is no discussion about it in the WD Community boards. I noticed this exploit is also posted for a DLink device. Thanks
Click to expand...
This is real, or at least it was until November last year. Western Digital released a firmware update fixing all exploits and vulnerabilities.
It was an SMB exploit that enabled unauthorised access to shares.
Click to expand...

You would hope that if WD had patched this exploit they would go back to whoever advised them to indicate it was patched, and to confirm it is no longer an issue. However having previously dealt with WD Support, they are very much not capable of keeping people advised about anything so really no way of knowing if it is fixed unless you want to try the exploits listed in the "full article" link and see it it breaks your NAS.
 
I had tested out one of these way back and ended up returning it due too overheating! I am not using anything like this from them. I have my own NAS and UAS here. Why would I need to use their Cloud system.
 
  • Like
Reactions: DelJo63
There are several NAS devices which you can install on your own LAN and manage for yourself.

The big advantage of a Cloud NAS is you offload all the cost, responsibility and control to someone else (whom you do not know at all) and need to explicitly trust to work in your interest (hmm, food for thought there).

Surely my choice is self evident.
 
According to the source, cited under "full details," this was fixed with a firmware patch back in November of last year...

--[ 08 - Solution

Upgrade firmware to version 2.30.174
See the official vendor website for further details.
 
Anubhav K said:
This issue did exist but they fixed it with a firmware update for all affected devices, in November last year.

Just ensure you have the latest firmware and you are all good. You most certainly do not have to remove the network connections.
Click to expand...
I have the latest firmware and I'm not good. 2.30.174 does not seem to be available for my device. And Metasploit verifies that I have the exploit.

I changed the domain name from the default. Hopefully that will be enough to protect me from a drive-by attack.
 
I actually abandoned my WD My Book Duo (an external Harddrive with 2 drives in Raid 1 with an encryption feature) when I found out that the drive encrypts the data per default and the key is case specific which means if the case fails all your data are gone, even if the drives would still be fine. You also couldn't just put the drives in an other external enclosure and read the data because you know, they are still encrypted, if you activated the feature or not.

This was not documented. Almost fcked up my data. But hey, backups ftw..
 
tricuspid said:
I actually abandoned my WD My Book Duo (an external Harddrive with 2 drives in Raid 1 with an encryption feature) when I found out that the drive encrypts the data per default and the key is case specific which means if the case fails all your data are gone, even if the drives would still be fine. You also couldn't just put the drives in an other external enclosure and read the data because you know, they are still encrypted, if you activated the feature or not.

This was not documented.
Click to expand...
GREAT Feedback - - can you point to the documentation you did find?
 
tricuspid said:
I actually abandoned my WD My Book Duo (an external Harddrive with 2 drives in Raid 1 with an encryption feature)
Click to expand...
hmm; Raid-1 on a NAS? I would understand Raid-10. Oh well. Thanks for the details which should help many others.
 
No, it is not a NAS, it is an external hard drive with 2 drives where you can chose between Raid1 and Raid0 plus it gives you the "choice" to activate hardware encryption or not. But the thing is that hardwareencryption is always on, if you choose it or not. The only thing you can actually really choose is if you want to encrypt the built in with which the drives are encrypted with your own password or not. And the built in key is in the enclosure of the two drives. So if you take out one of the two drives and put it in a different external case you cannot read anything from it because it is encrypted by default with a key you cannot extract from the original housing.
 
tricuspid said:
The only thing you can actually really choose is if you want to encrypt the built in with which the drives are encrypted with your own password or not. And the built in key is in the enclosure of the two drives. So if you take out one of the two drives and put it in a different external case you cannot read anything from it because it is encrypted by default with a key you cannot extract from the original housing.
Click to expand...
You were quite clear on this point
 
You must log in or register to reply here.

Similar threads

midian182
  • Locked
Vladimir Putin orders creation of Russian game consoles, Steam-like cloud delivery, and OS
2
Replies
36
Views
452
Snazz
S
midian182
Think tank warns that North Korea could use Western cloud services for AI-powered military...
Replies
6
Views
193
Underdog
Underdog
A
Spectra Cube offers up to 75 petabytes of tape-based, cloud-optimized storage capacity
Replies
3
Views
66
ZedRM
ZedRM

Latest posts

Back