Wd My Cloud Ex4 Hardware Hack

Some of Western Digital's MyCloud-based information storage devices. Image: WD.

Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the visitor stopped supporting in 2015, too as a previously unknown nil-24-hour interval flaw. Merely there is a similarly serious zero-twenty-four hours flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can't or won't upgrade to the latest operating system.

At issue is a remote code execution flaw residing in all Western Digital network attached storage (NAS) devices running MyCloud OS 3, an operating organisation the visitor only recently stopped supporting.

Researchers Radek Domanski and Pedro Ribeiro originally planned to present their findings at the Pwn2Own hacking competition in Tokyo final yr. Simply simply days before the event Western Digital released MyCloud Os 5, which eliminated the bug they found. That update finer nullified their chances at competing in Pwn2Own, which requires exploits to piece of work confronting the latest firmware or software supported by the targeted device.

Notwithstanding, in February 2021, the duo published this detailed YouTube video, which documents how they discovered a concatenation of weaknesses that allows an assailant to remotely update a vulnerable device's firmware with a malicious backdoor — using a low-privileged user business relationship that has a blank password.

The researchers said Western Digital never responded to their reports. In a statement provided to KrebsOnSecurity, Western Digital said it received their written report afterward Pwn2Own Tokyo 2020, simply that at the time the vulnerability they reported had already been fixed by the release of My Cloud Bone 5.

"The communication that came our way confirmed the enquiry squad involved planned to release details of the vulnerability and asked us to contact them with whatever questions," Western Digital said. "We didn't accept whatever questions so we didn't respond. Since then, we have updated our procedure and answer to every report in order to avert any miscommunication like this again. We take reports from the security research community very seriously and comport investigations every bit soon as we receive them."

Western Digital ignored questions about whether the flaw institute by Domanski and Ribeiro was always addressed in Os 3. A argument published on its support site March 12, 2021 says the visitor will no longer provide further security updates to the MyCloud Bone 3 firmware.

"We strongly encourage moving to the My Deject OS5 firmware," the statement reads. "If your device is not eligible for upgrade to My Deject Os 5, we recommend that you upgrade to ane of our other My Cloud offerings that support My Cloud Bone 5. More than information tin can be found here." A list of MyCloud devices that can support OS 5 is hither.

But according to Domanski, Os v is a complete rewrite of Western Digital'due south cadre operating system, and as a result some of the more pop features and functionality built into OS3 are missing.

"It bankrupt a lot of functionality," Domanski said of OS v. "Then some users might not decide to drift to OS 5."

In recognition of this, the researchers have developed and released their own patch that fixes the vulnerabilities they constitute in OS 3 (the patch needs to exist reapplied each time the device is rebooted). Western Digital said it is aware of third parties offering security patches for My Cloud OS iii.

"We have not evaluated whatever such patches and we are unable to provide whatever support for such patches," the company stated.

A snippet from the video showing the researchers uploading their malicious firmware via a remote null-solar day flaw in MyCloud OS 3.

Domanski said MyCloud users on Os 3 can virtually eliminate the threat from this attack past simply ensuring that the devices are non set up to be reachable remotely over the Internet. MyCloud devices make information technology super piece of cake for customers to access their data remotely, but doing so also exposes them to attacks like last calendar month'southward that led to the mass-wipe of MyBook Live devices.

"Luckily for many users they don't betrayal the interface to the Internet," he said. "Simply looking at the number of posts on Western Digital's support folio related to OS3, I tin can presume the userbase is still considerable. Information technology near feels like Western Digital without whatsoever notice jumped to OS5, leaving all the users without support."

Dan Goodin at Ars Technica has a fascinating deep dive on the other zero-day flaw that led to the mass set on last month on MyBook Alive devices that Western Digital stopped supporting in 2015. In response to Goodin's report, Western Digital best-selling that the flaw was enabled by a Western Digital developer who removed code that required a valid user password earlier allowing factory resets to keep.

Facing a backfire of angry customers, Western Digital also pledged to provide information recovery services to afflicted customers starting this month. "MyBook Live customers volition too be eligible for a trade-in program so they can upgrade to MyCloud devices," Goodin wrote. "A spokeswoman said the data recovery service will exist gratuitous of accuse."

If attackers get around to exploiting this Os iii bug, Western Digital might soon be paying for data recovery services and trade-ins for a whole lot more customers.

Share this post