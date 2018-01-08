Western Digital 'My Cloud' Devices Have a Hardcoded Backdoor (betanews.com) 84
BrianFagioli shares a report from BetaNews: Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital MyCloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files are at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing. GulfTech Research and Development explains, "The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc." The My Cloud Storage devices affected by this backdoor include: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Firmware 2.30.172 reportedly fixes the bug, so make sure your device is updated before reconnecting to the internet.
Nah. Always Be Careful... 12345... Can't Be Assed.
No, it is showing that a simple way to break into something was known 31 years ago by a non-IT person yet the same stupid way of thinking about security is still being used today.
I've seen most of it.
Tha movie you're referencing came out 31 years ago. Your age is showing.
I'm shocked - shocked! - to find that old movie references are going on in here!
12345? That's the same combination as my luggage!
Per TSA regulations
:-)
12345? That's the same combination as my luggage!
That's some pretty secure luggage. I've rarely seen luggage locks that go past 1234. Not that it matters. Even the ones the TSA can unlock they just throw away. I gave up on luggage locks within the first month of the existence of the TSA.
...have a hardcoded backdoor, meaning anyone can access them...
Firmware 2.30.172 reportedly fixes the bug...
I don't think that word means what the author thinks it means.
...it was disclosed to Western Digital six months ago and the company did nothing.
Firmware 2.30.172 reportedly fixes the bug...
Also, I don't think releasing a firmware update is doing nothing.
"Bug"? Yeah, me neither.
As for "hardcoded", I don't think the word means what you think it means.
... using one of the many predictable default hostnames
...
Good thing I renamed mine to "FutureCorruptedBackup"
;-)
"To make matters worse, it was disclosed to Western Digital six months ago and the company did nothing."
... "Firmware 2.30.172 reportedly fixes the bug"
hmm...
So, OK, June 16 to November 16 is only 5 months.
But their release notes don't even mention the severity of the problem and the importance of installing the updated firmware!
Re:WD did nothing! (Score:4, Interesting)
... the company apparently did nothing until November 2017.
2018 (Score:5, Informative)
>How can it be possible that a big company like Western Digital constructs a backdoor to your personal data?
It's not unheard of for companies to do this on consumer devices, for technical support to assist people who lock themselves out of devices and don't want to lose data. Up until now I'd only ever seen it in rebranded modems bundled with DSL service, but for a while it was difficult to avoid.
I agree it was never a good idea, and nowadays it should be considered criminal.
I remember buying a very early laptop which had BIOS password protection. One time I forgot the password, called the store asking how I can reset it. "Oh, you'll have to bring it into the store for our technicians to work on in our workshop. It has to be done there, as we can't let you see the recovery process." So I removed each back panel, found the password reset DIM switch, and reset the password.
Re:2018 (Score:4, Insightful)
How can it be possible that a big company like Western Digital constructs a backdoor to your personal data? Such a company - and it's owners - should shut down, prosecuted and put behind bars for many - many - years... This is not an accident. This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data. I for one will never buy another device from Western. Who knows what they have done to the IC's in their harddisks to provide access to my data. I can not look into a chip and they know that!
It's a massive screwup, though we don't really know how it got there yet, a few quick scenarios are:
1) It could have been a deliberate backdoor for WD, the government, etc, that was sanctioned by the highest levels of the company, but this seems quite unlikely.
2) It could be a malicious employee (or even outside attacker) who introduced the backdoor for their own purposes.
3) An individual or team who didn't know any better put it there.
4) An individual or team added it for testing purposes, and people forget and never pulled it out.
My money would be on 3 or 4, reading the advisory from the security researcher it sounds like there was a lot of sloppiness in the WD code.
It sounds like it was inherited from another WD product that got patched in 2014 (but the patch was never ported to this device) so my money is on crappy software processes.
I'll tell you exactly how it got there: firmware and software development for consumer garbage like this is outsourced to the deepest, darkest bowels of China and India. The code is copied and pasted from the last project, or open source stuff is smashed together until it basically works and they ship it. In this particular case, maybe it was a convenience during development, or maybe there was an organized plan to take advantage of dumb (American) consumers who would never know any better.
Welcome to the
Re: (Score:3)
Look at the string "dlink". I had a laptop (Sony Viao) that would spontaneously connect to a DLink router somewhere elsewhere in our neighborhood. By spontaneously connect, I mean wi-fi was disabled by the Linux GUI options, only to see the laptop connect spontaneously to a DLink router. Because the case of the laptop was used as the wi-fi antennae, it had 100 meters range.
5) It was intentionally and purposely put there for those times when a user contacts them (Yes, the real owner) sobbing uncontrollably because he seems to be locked out of his network drive because he forgot his password and all the pictures he had of his daughter are on there and she recently died in a car accident and he doesn't know what to do.
Re:2018 (Score:5, Insightful)
They probably didn't construct it - a low-bidder did.
"Brian" Y.G. reused the same code he did for the D-Link job, if one had to venture a guess.
That tells you something about WD's quality.
That they found out about this six months ago tells you something about their responsibility. It's actions like these that make class action attorneys drool while they mumble "willful negligence". It's cheaper to fix the code, IMO.
If it was cheaper to fix the code, they would fix the code. Clearly it's cheaper to ship many millions of hardware devices with insecure firmware and eventually, maybe, perhaps, pay a pittance to the tiny percentage of a tiny percentage of customers who notice and care and stay interested in an esoteric class action lawsuit about a company they can't name and a product they hardly remember even owning and which on cursory inspection seems to work fine.
This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data.
Oh, cut the crap out with the conspiracy theories. The MyCloud system is all about allowing external access of your data (so you have your own "cloud" hosted locally), so it makes sense there'll be a way to access it. This is just plain laziness combined with zero oversight and total carelessness. It's awful, WD should be ashamed of themselves, but jumping to the "IT'S THE GUBINMENT STEALIN YER DATA" just makes you look like a fool.
Re: (Score:3)
How can it be possible that a big company like Western Digital constructs a backdoor to your personal data? Such a company - and it's owners - should shut down, prosecuted and put behind bars for many - many - years... This is not an accident. This is making sure by design they (and maybe their partners, workforce, ex-workforce and 3-letter agencies) have acces to your private data. I for one will never buy another device from Western. Who knows what they have done to the IC's in their harddisks to provide access to my data. I can not look into a chip and they know that!
Western Digital knows you opinion represents less than 1% of their current customer base. You mean less to them than the corporate coffee clerk being accused of sexual assault, which means they're not going to think twice about re-installing backdoors into their products if it provides them even the slightest benefit.
Consumers simply don't give a shit. Firmware update a storage device? That will never happen across 90% of deployed product unless Western Digital does it themselves in a fully automated man
I gave up on consumer NAS because the permissions suck - you can't integrate with a Windows domain. So these days my 'NAS' is a USB drive shared off my server.
ON the other hand, I'm not 100% certain (because of lack of interest once I had my own solution in place), but I believe many consumer router/modems now come with a USB port to share storage or a printer. I'd suggest investing some time in hunting down a router with that feature instead of going with a consumer NAS device.
On my third hand... I'm not
WD is not what it used to be (Score:3)
I was a fan of WD for a long time, I even had a couple of their NAS My Book Live drives, which were quite nice for the price and were accessible directly over the LAN, but the new "My Cloud" drives require crappy software to work and require to always be online to work, both deal killers for me. These days I only buy HGST drives (yes, I know WD owns them, but they are still made by a different group).
The issue appears to be one of control. Intel wants control of their chips so they put in a secret operating system, amd did the same. John Deer doesn't want farmers to fix their tractors, cars are sold with black boxes unable to be removed or GPS taggers by the dealership they sometimes forget to remove. OnStar can remotely disable your vehicle.
When we pay money for a product the issue of control is supposed to be that we have it, we have the item, we have the control. The idea is supposed to be that t
I am shocked—shocked—to find that there is a back door in a "cloud" product.
I tried this ... (Score:5, Interesting)
... on my "WD Mycloud" wireless device that I purchased last year.
When I entered the username, "mydlinkBRionyg" (without the quotes), the text box had an "X" in it, saying, "Only administrator users are allowed."
I checked the firmware version and it does have the latest (2.30.172).
I do not allow access from outside the local LAN and I have to log in as Admin and enable "Share" in order to map a drive.
I leave Share activated only during the short period of time that it takes to copy files to/from the divice and then I disable Share again.
I'm hoping that "offline" condition protects me from intruders.
Re: I tried this ... (Score:5, Insightful)
When I entered the username, "mydlinkBRionyg" (without the quotes), the text box had an "X" in it, saying, "Only administrator users are allowed."
Please tell me their "fix" wasn't a JavaScript block to prevent you from entering the password for that user.
1.) Read my post again and notice I never said I entered a password.
2.) I have no fucking clue what their fix was.
3.) I don't even know if their fix works.
I think LordKronos was pointing out that the login page seemed to disallow you from trying to log into that account via a dynamic update to the web page (You went to log in and the text box updated with an X). Hopefully they actually did something more substantive to block the login, rather than simply inserting a script that blocks using that login-- the reason being that an attacker could block the script from running.
That's a bunch of speculation, and hopefully WD isn't that stupid.
Thanks for the clarification, but I don't think WD is stupid.
I think the word we're looking for is, "incompetent."
Jagger said it best (Score:3)
https://www.youtube.com/watch?v=VIXOOwthtaE
Way to go idiot WD programmers, QA, supervisors, managers, and your whole stupid operation.
Love you hard drives though.
So, let's say you're designing a Linux-based embedded system and you want to be able to make modifications and upgrades to the OS in the field. How do you allow for this without root access? And so what if the root user has a password? If you have to give that to a customer to perform these upgrades, that password is no longer secure.
Well, not internet-based updating per se. But let's say you need to update certain libraries or perhaps install a new piece of software like PHP or something. A super user has the privilege to modify stuff in the OS directory tree so you need to allow the customer or even the updater to be a super user. How do you do that without allowing them to touch stuff you don't want them to?
With Sarsbane-Oxley passed years ago, not a single CEO has been held accountable. Yet, this is ANOTHER case where the CEO SHOULD be an MUST be held accountable for allowing their company to produce a clear and dangerous product deficency.
Democrats wanted SO but never use it. Was it just a money grab as people said it was? The answer is : Yes. Another worse law by worthless liberals that costs this country BILLIONS each year. Either repeal S.O. or apply it!
Isn't the reason you bought private storage that you wanted to keep it private?
It said NSA on the label; Dang!
I use mine mostly to load pee videos, hoping I'll get a job in the current administration; you never know...
