Western Digital My Cloud drives have a built-in backdoor

By Greg S ยท 21 replies
Jan 5, 2018
Post New Reply
  1. Western Digital's network attached storage solutions have a newfound vulnerability allowing for unrestricted root access.

    James Bercegay disclosed the vulnerability to Western Digital in mid-2017. After allowing six months to pass, the full details and proof-of-concept exploit have been published. No fix has been issued to date.

    More troubling is the existence of a hard coded backdoor with credentials that cannot be changed. Logging in to Western Digital My Cloud services can be done by anybody using "mydlinkBRionyg" as the administrator username and "abc12345cba" as the password. Once logged in, shell access is readily available followed with plenty of opportunity for injection of commands.

    Owners of Western Digital NAS drives are not safe on local area networks, either. Specially crafted HTML image and iFrame tags can be used on websites to make requests to devices on a local network using predictable host names. No user interaction is required other than visiting a malicious webpage.

    Affected models include My Cloud Gen 2, My Cloud EX2, My Cloud EX2 Ultra, My Cloud PR2100, My Cloud PR4100, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100. A Metasploit module has also been publicly released, making is very easy for almost anyone to take advantage of Western Digital drives.

    It is advised to disconnect any affected drives from your local area network and block it from having Internet access until a patch can be issued.

    Permalink to story.

     
    Last edited by a moderator: Jan 5, 2018
  2. Nitrotoxin

    Nitrotoxin TS Addict Posts: 119   +74

    Sue them and they will respond...
     
    delicateharmony likes this.
  3. McMurdeR

    McMurdeR TS Booster Posts: 94   +60

    A hard coded backdoor. Says plenty about their quality control.
     
    delicateharmony and MonsterZero like this.
  4. etherc

    etherc TS Rookie

    I was not able to log in to my supposedly affected device (My Cloud EX2 Ultra) using these credentials through the web log-in portal. Can anyone confirm this exploit is real? There is no discussion about it in the WD Community boards. I noticed this exploit is also posted for a DLink device. Thanks
     
  5. Greg S

    Greg S TechSpot Staff Topic Starter Posts: 1,324   +434

    See the "full details" link above in the article. Thankfully it's not a matter of simply entering the credentials at the regular login prompt. There is a process to go through to use the mentioned credentials.
     
  6. Danny B

    Danny B TS Rookie

    This is Kind of like the Twonky server that comes on all old devices. I found this when I got Win 8 and it had my device with port 9000 open in "My Computer". I opened the web page and saw this new interface. I looked through the photos and they were not mine!!! I went ahead and locked it down with a new admin user and password and deleted all the old crap. I was like O man this sucks. It is a DLNA Flaw. Watch out. You can find it by going to your cloud (IP address:9000) in any browser.
     
  7. Anubhav K

    Anubhav K TS Rookie

    This issue did exist but they fixed it with a firmware update for all affected devices, in November last year.

    Just ensure you have the latest firmware and you are all good. You most certainly do not have to remove the network connections.
     
    lostinlodos likes this.
  8. Anubhav K

    Anubhav K TS Rookie

    This is real, or at least it was until November last year. Western Digital released a firmware update fixing all exploits and vulnerabilities.
    It was an SMB exploit that enabled unauthorised access to shares.
     
    lostinlodos likes this.
  9. Joe Blow

    Joe Blow TS Addict Posts: 216   +74

    Of course they do. How else is the NSA going to get in?
     
  10. JediNite

    JediNite TS Rookie

    You would hope that if WD had patched this exploit they would go back to whoever advised them to indicate it was patched, and to confirm it is no longer an issue. However having previously dealt with WD Support, they are very much not capable of keeping people advised about anything so really no way of knowing if it is fixed unless you want to try the exploits listed in the "full article" link and see it it breaks your NAS.
     
  11. markwldn1

    markwldn1 TS Rookie

    Are recertified My Cloud drives vulnerable?
     
  12. lostinlodos

    lostinlodos TS Booster Posts: 135   +22

    If the firmware is not updated; yes.
     
  13. tipstir

    tipstir TS Ambassador Posts: 2,678   +159

    I had tested out one of these way back and ended up returning it due too overheating! I am not using anything like this from them. I have my own NAS and UAS here. Why would I need to use their Cloud system.
     
    jobeard likes this.
  14. jobeard

    jobeard TS Ambassador Posts: 11,992   +1,313

    There are several NAS devices which you can install on your own LAN and manage for yourself.

    The big advantage of a Cloud NAS is you offload all the cost, responsibility and control to someone else (whom you do not know at all) and need to explicitly trust to work in your interest (hmm, food for thought there).

    Surely my choice is self evident.
     
  15. JJ Pspam

    JJ Pspam TS Rookie

    According to the source, cited under "full details," this was fixed with a firmware patch back in November of last year...

    --[ 08 - Solution

    Upgrade firmware to version 2.30.174
    See the official vendor website for further details.
     
  16. isaac32767

    isaac32767 TS Rookie

    I have the latest firmware and I'm not good. 2.30.174 does not seem to be available for my device. And Metasploit verifies that I have the exploit.

    I changed the domain name from the default. Hopefully that will be enough to protect me from a drive-by attack.
     
  17. tricuspid

    tricuspid TS Rookie

    I actually abandoned my WD My Book Duo (an external Harddrive with 2 drives in Raid 1 with an encryption feature) when I found out that the drive encrypts the data per default and the key is case specific which means if the case fails all your data are gone, even if the drives would still be fine. You also couldn't just put the drives in an other external enclosure and read the data because you know, they are still encrypted, if you activated the feature or not.

    This was not documented. Almost fcked up my data. But hey, backups ftw..
     
  18. jobeard

    jobeard TS Ambassador Posts: 11,992   +1,313

    GREAT Feedback - - can you point to the documentation you did find?
     
  19. tricuspid

    tricuspid TS Rookie

    jobeard likes this.
  20. jobeard

    jobeard TS Ambassador Posts: 11,992   +1,313

    hmm; Raid-1 on a NAS? I would understand Raid-10. Oh well. Thanks for the details which should help many others.
     
  21. tricuspid

    tricuspid TS Rookie

    No, it is not a NAS, it is an external hard drive with 2 drives where you can chose between Raid1 and Raid0 plus it gives you the "choice" to activate hardware encryption or not. But the thing is that hardwareencryption is always on, if you choose it or not. The only thing you can actually really choose is if you want to encrypt the built in with which the drives are encrypted with your own password or not. And the built in key is in the enclosure of the two drives. So if you take out one of the two drives and put it in a different external case you cannot read anything from it because it is encrypted by default with a key you cannot extract from the original housing.
     
  22. jobeard

    jobeard TS Ambassador Posts: 11,992   +1,313

    You were quite clear on this point
     

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...