WD Patches Backdoor Security Flaw in My Cloud NAS Devices

A security researcher discloses full details on multiple software vulnerabilities in Western Digital's My Cloud network-attached storage devices that have now been patched.

Users of Western Digital’s My Cloud network-attached storage devices are being urged to update to the latest firmware version to protect themselves against a series of security issues, including a built-in backdoor vulnerability.

On Jan. 4, security researcher James Bercegay at GulfTech Research and Development publicly disclosed the WD My Cloud vulnerability. According to Bercegay, he responsibly reported the security issues to WD in June 2017.

"WD—Western Digital—is aware of the previously reported security vulnerabilities related to the My Cloud products," WD wrote in a statement sent to eWEEK. "These had been disclosed by a security researcher directly with our team in 2017 and critical issues were addressed in 2017 with firmware update v2.30.172."

Among the issues discovered by Bercegay is a hard-coded backdoor that includes a default username and password. Bercegay warned in his advisory that the backdoor could be remotely exploited and used to create a spreading worm virus. The Mirai internet of things (IoT) botnet that impacted organizations around the world at the end of 2016 was made up of vulnerable devices that had known usernames and passwords.

"Users locked to a LAN are not safe either," Bercegay warned. "An attacker could literally take over your WD MyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc."

Bercegay also noted that WD My Cloud was at risk from an unrestricted file update vulnerability that could have enabled an attacker to put arbitrary files on a vulnerable WD device.

This isn't the first time that WD has had to patch for security issues on its WD My Cloud devices. In March 2017, a security researcher known as "Zenofex" working as part of the security group Exploiteers disclosed command injection vulnerabilities in WD My Cloud. Bercegay also found command injection as part of his own research.

"By now I feel that the manufacturer should know better, considering they just went through the process of patching many command injection vulnerabilities disclosed by the Exploiteers," Bercegay wrote in his advisory. 

Tony Hart, chief architect at Corero Network Security, told eWEEK that the biggest surprise with the WD security disclosure is that IoT device manufacturers still do not keep security implications top of mind when bringing technologies to market. 

"The existence of default and generic admin username and password hardcoded into the binary in the My Cloud Storage device makes access and exploitation very trivial," Hart said. 

What Should Users Do?

There are several things that users can do to help mitigate the risk of security issues in WD's NAS devices. WD regularly updates the firmware for its devices to fix stability as well as security issues. 

"We urge customers to ensure the firmware on their products is always up to date; enabling automatic updates is recommended," WD stated. 

Looking beyond just firmware updates, WD also recommends that users implement sound data protection practices such as regular data backups as well password protection for personal cloud or network-attached storage devices.

"Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover," WD stated. "We encourage responsible disclosure by customers and researchers to ensure our customers are protected while we address valid vulnerabilities."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.