WD's My Cloud NAS Drives Have Been Vulnerable Since 2017

By Nathaniel Mott
published

Many people like being able to access their files no matter what device they're using. That's why services like Dropbox, Google Drive, iCloud and OneDrive have become all but ubiquitous. It's also why companies like Western Digital offer connected drives like the My Cloud products, but in that particular case, a security flaw means the person who owns the drive isn't the only one who can access its contents.

Securify's Remco Vermeulen and Exploitee.rs independently found and disclosed a major authentication bypass flaw in My Cloud products in 2017. Vermeulen said he disclosed the problem to Western Digital last April but never received a response from the company. Exploitee.rs also said it contacted Western Digital about the problem last year and even publicly discussed it at Def Con 25, but its warnings also fell on deaf ears.

The flaw in question allows someone to gain administrator access to a My Cloud drive without a password. Vermeulen said that person could "run commands that would normally require admin privileges and gain complete control of the My Cloud device." He proved this on a My Cloud model WDBCTL0020HWT running firmware version 2.30.172 but said other models likely bear the same flaw because they use the same code.

Vermeulen and Exploitee.rs both developed proofs of concept demonstrating the flaw in action. It doesn't appear to be particularly difficult--Vermeulen's demo was presented in a GIF--and could probably be exploited by amateurs now that the flaw has been disclosed to the public. Western Digital hasn't developed a fix yet, either, but a year-and-a-half of silence left the researchers little choice but to go public.

We couldn't find public acknowledgement of this vulnerability from Western Digital on its website, blog, or Twitter account. The company has responded directly to some Twitter users, however, and linked to an unlisted blog post (opens in new tab) it quietly published on September 19. In it, the company said that My Cloud Home devices aren't affected and that it plans to address the vulnerability with a firmware update "within a few weeks."

Western Digital also seemed keen on downplaying its slow response to Vermeulen and Exploitee.rs' disclosures.

"Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover. We encourage responsible disclosure by customers and researchers to ensure our customers are protected while we address valid vulnerabilities," it said in its blog post. 

My Cloud device owners are encouraged to enable automatic updates to make sure their devices aren't affected by this flaw as soon as possible.

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

6 Comments Comment from the forums
  • DeadRam
    Is this a typo? "My Cloud Home devices AREN'T affected and that it plans to address the vulnerability with a firmware update "within a few weeks.""
    Reply
  • 2Be_or_Not2Be
    21336268 said:
    Is this a typo? "My Cloud Home devices AREN'T affected and that it plans to address the vulnerability with a firmware update "within a few weeks.""

    No typo - "My Cloud Home" is a different product line than "My Cloud NAS". It does seem to be a bit of defensive deflection, though.

    Reply
  • 2Be_or_Not2Be
    Very disappointing that WD doesn't commit more seriously to investigating & fixing security flaws. A year-and-a-half is way too long, and someone needs to light a corporate fire under them to get more serious.

    Sadly, it's the buyers of these devices who are ultimately hurt, not WD. However, WD, don't forget that word-of-mouth about lousy security can prevent future buyers from purchasing your products. A bad reputation can hurt all of your product lines, not just "My Cloud". So you better put some real effort into finding and fixing these vulnerabilities!
    Reply
  • DeadRam
    Let me clarify. "My Cloud Home devices aren't affected" BUT "it plans to address the vulnerability". Why address the vulnerability if they aren't affected?
    Reply
  • 2Be_or_Not2Be
    21340236 said:
    Let me clarify. "My Cloud Home devices aren't affected" BUT "it plans to address the vulnerability". Why address the vulnerability if they aren't affected?

    They are addressing the vulnerability in the My Cloud product lines (e.g. many models) that are affected. The specific "Home" model supposedly isn't affected. I'm guessing that it was probably the only one that didn't include the "Dashboard Cloud Access" or something else just slightly different enough in the firmware as their fix involves a firmware update.

    The wording on WD's blog post makes it more clear that the Home model specifically wasn't affected:

    "Recently, security researcher Securify published an authentication bypass vulnerability for our My Cloud products (My Cloud Home is exempt from the vulnerability). We are in the process of finalizing a scheduled firmware update that will resolve the reported issue. We expect to post the update on our technical support site at https://support.wdc.com/ within a few weeks."
    Reply
  • phobicsq
    Anything in the cloud or online is at risk. Until laws are made to hold companies and execs accountable things wont change.
    Reply