WD's My Cloud NAS Drives Have Been Vulnerable Since 2017

Many people like being able to access their files no matter what device they're using. That's why services like Dropbox, Google Drive, iCloud and OneDrive have become all but ubiquitous. It's also why companies like Western Digital offer connected drives like the My Cloud products, but in that particular case, a security flaw means the person who owns the drive isn't the only one who can access its contents.

Securify's Remco Vermeulen and Exploitee.rs independently found and disclosed a major authentication bypass flaw in My Cloud products in 2017. Vermeulen said he disclosed the problem to Western Digital last April but never received a response from the company. Exploitee.rs also said it contacted Western Digital about the problem last year and even publicly discussed it at Def Con 25, but its warnings also fell on deaf ears.

The flaw in question allows someone to gain administrator access to a My Cloud drive without a password. Vermeulen said that person could "run commands that would normally require admin privileges and gain complete control of the My Cloud device." He proved this on a My Cloud model WDBCTL0020HWT running firmware version 2.30.172 but said other models likely bear the same flaw because they use the same code.

Vermeulen and Exploitee.rs both developed proofs of concept demonstrating the flaw in action. It doesn't appear to be particularly difficult--Vermeulen's demo was presented in a GIF--and could probably be exploited by amateurs now that the flaw has been disclosed to the public. Western Digital hasn't developed a fix yet, either, but a year-and-a-half of silence left the researchers little choice but to go public.

We couldn't find public acknowledgement of this vulnerability from Western Digital on its website, blog, or Twitter account. The company has responded directly to some Twitter users, however, and linked to an unlisted blog post it quietly published on September 19. In it, the company said that My Cloud Home devices aren't affected and that it plans to address the vulnerability with a firmware update "within a few weeks."

Western Digital also seemed keen on downplaying its slow response to Vermeulen and Exploitee.rs' disclosures.

"Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover. We encourage responsible disclosure by customers and researchers to ensure our customers are protected while we address valid vulnerabilities," it said in its blog post.

My Cloud device owners are encouraged to enable automatic updates to make sure their devices aren't affected by this flaw as soon as possible.

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

Latest

Meletrix Boog75 Review: More enthusiast than gamer

A vintage General Electric PC ad from BASIC's birth era, the 60s. This ad is for the cut-down GE-210 versus the colossal 2000 LB GE-225 used to create the BASIC programming language.

The BASIC programming language turns 60 — Dartmouth BASIC started it all in 1964

This 25-inch Samsung Odyssey G4 monitor is only $199 for the first time at Amazon

See more latest ►

6 Comments Comment from the forums

DeadRam

Is this a typo? "My Cloud Home devices AREN'T affected and that it plans to address the vulnerability with a firmware update "within a few weeks.""
Reply
2Be_or_Not2Be

21336268 said:
Is this a typo? "My Cloud Home devices AREN'T affected and that it plans to address the vulnerability with a firmware update "within a few weeks.""

No typo - "My Cloud Home" is a different product line than "My Cloud NAS". It does seem to be a bit of defensive deflection, though.

Reply
2Be_or_Not2Be

Very disappointing that WD doesn't commit more seriously to investigating & fixing security flaws. A year-and-a-half is way too long, and someone needs to light a corporate fire under them to get more serious.

Sadly, it's the buyers of these devices who are ultimately hurt, not WD. However, WD, don't forget that word-of-mouth about lousy security can prevent future buyers from purchasing your products. A bad reputation can hurt all of your product lines, not just "My Cloud". So you better put some real effort into finding and fixing these vulnerabilities!
Reply
DeadRam

Let me clarify. "My Cloud Home devices aren't affected" BUT "it plans to address the vulnerability". Why address the vulnerability if they aren't affected?
Reply
2Be_or_Not2Be

21340236 said:
Let me clarify. "My Cloud Home devices aren't affected" BUT "it plans to address the vulnerability". Why address the vulnerability if they aren't affected?

They are addressing the vulnerability in the My Cloud product lines (e.g. many models) that are affected. The specific "Home" model supposedly isn't affected. I'm guessing that it was probably the only one that didn't include the "Dashboard Cloud Access" or something else just slightly different enough in the firmware as their fix involves a firmware update.

The wording on WD's blog post makes it more clear that the Home model specifically wasn't affected:

"Recently, security researcher Securify published an authentication bypass vulnerability for our My Cloud products (My Cloud Home is exempt from the vulnerability). We are in the process of finalizing a scheduled firmware update that will resolve the reported issue. We expect to post the update on our technical support site at https://support.wdc.com/ within a few weeks."
Reply
phobicsq

Anything in the cloud or online is at risk. Until laws are made to hold companies and execs accountable things wont change.
Reply

Show more comments

Stay on the Cutting Edge

Most Popular