A SECURITY RESEARCH COMPANY has published details of vulnerabilities it has found in a number of Western Digital’s MyCloud devices.
Gulftech Research and Development’s James Bercegay explains that despite contacting the company back in June, there is to date no patch available for any of the patches.
The news is on top of the 85 (!) vulnerabilities uncovered last year.
Western Digital had asked Bercegay to wait 90 days for them to act before disclosing, this being considered a fair and reasonable grace period in the industry, but when in mid-December no patches had been issued and another site showed a full description of one of the exploits, he made the decision to go public.
In January, the full list of exploits was revealed, affecting the following WD models:
MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.
The most recent model, the MyCloud Home, is not included on this list and we’re checking with Western Digital as to whether it is part of the rogue’s gallery. The MyCloud 04.X and MyCloud 2.30.174 firmware are listed as not affected so we suspect not – the listed models are older ones that haven’t been updated as recently.
Weirdly, the issue stems from a password from another vendor – D-Link which has remained hardwired into firmware. The username mydlinkBRionyg and a very guessable password will give you root access.
Although D-Link is better known for security cameras and networking, it does white label NAS devices and it appears that WD uses them in whole or in part.
What’s more worrying is that this isn’t just about backing up your holiday snaps – the same ranges also include small and medium business models, which could mean your personal data as a customer.
The important bit is that upgrading the firmware, if possible, will solve the problem. But with something quite this serious, the normal thing would be for WD to force the issue with a big song and dance to boot. The fact that it so far hasn’t is the major cause for concern. µ
Source : Inquirer