Traditionally, the playbook for revealing security issues with hardware or software is to let the manufacturer know first. That way, the company has some time to fix up the problem without it negatively affecting its business. More importantly, it means that hackers who weren’t aware of the bug don’t exploit it while it’s being fixed.
In this case, Exploitee.rs (via Engadget) who who discovered the bugs, made them public straight away due to what was described as WD’s “reputation within the community.” More specifically, Western Digital earned the Pwnie award at BlackHat Las Vegas 2016 for “Lamest Vendor Response” to bugs revealed to it in the past. By alerting the community, Exploitee hopes that users can avoid this particular drive range until WD goes ahead and fixes it.
There are actually a few bugs that were found as part of this latest investigation. Although they were specifically discovered on the My Cloud PR4100, they are expected to impact the entire My Cloud range. They are mostly to do with poorly written login scripts which could allow a hacker to bypass the certification system entirely, but others allow unauthorised file uploads, missing login requirements, and poorly implemented web interface commands.
While WD has yet to issue a response to these claims, My Cloud owners would be wise to keep their NAS drive offline for the time being and restrict it to your local network until several security fixes are released.
