Western Digital’s My Cloud network-attached storage (NAS) drives feature several unpatched security problems which could leave users vulnerable to attack by nefarious individuals. WD has been made aware of the flaws in the system, and the team that discovered the bugs has now made them available to the public in the hope that it encourages a quicker turnaround on a fix.
Traditionally, the playbook for revealing security issues with hardware or software is to let the manufacturer know first. That way, the company has some time to fix up the problem without it negatively affecting its business. More importantly, it means that hackers who weren’t aware of the bug don’t exploit it while it’s being fixed.
In this case, Exploitee.rs (via Engadget) who who discovered the bugs, made them public straight away due to what was described as WD’s “reputation within the community.” More specifically, Western Digital earned the Pwnie award at BlackHat Las Vegas 2016 for “Lamest Vendor Response” to bugs revealed to it in the past. By alerting the community, Exploitee hopes that users can avoid this particular drive range until WD goes ahead and fixes it.
There are actually a few bugs that were found as part of this latest investigation. Although they were specifically discovered on the My Cloud PR4100, they are expected to impact the entire My Cloud range. They are mostly to do with poorly written login scripts which could allow a hacker to bypass the certification system entirely, but others allow unauthorised file uploads, missing login requirements, and poorly implemented web interface commands.
While WD has yet to issue a response to these claims, My Cloud owners would be wise to keep their NAS drive offline for the time being and restrict it to your local network until several security fixes are released.
- Intel warned Chinese tech firms of security flaws before telling U.S. government
- How Google’s ‘Project Zero’ task force races hackers to snuff out bugs
- Apple releases an iOS update to fix infamous Telegu text bug
- Microsoft misses another Edge-related 90-day security disclosure deadline
- Intel opens bug hunt to all security researchers, offers possible $250K payout