Traditionally, the playbook for revealing security issues with hardware or software is to let the manufacturer know first. That way, the company has some time to fix up the problem without it negatively affecting its business. More importantly, it means that hackers who weren’t aware of the bug don’t exploit it while it’s being fixed.
In this case, Exploitee.rs (via Engadget) who who discovered the bugs, made them public straight away due to what was described as WD’s “reputation within the community.” More specifically, Western Digital earned the Pwnie award at BlackHat Las Vegas 2016 for “Lamest Vendor Response” to bugs revealed to it in the past. By alerting the community, Exploitee hopes that users can avoid this particular drive range until WD goes ahead and fixes it.
There are actually a few bugs that were found as part of this latest investigation. Although they were specifically discovered on the My Cloud PR4100, they are expected to impact the entire My Cloud range. They are mostly to do with poorly written login scripts which could allow a hacker to bypass the certification system entirely, but others allow unauthorised file uploads, missing login requirements, and poorly implemented web interface commands.
While WD has yet to issue a response to these claims, My Cloud owners would be wise to keep their NAS drive offline for the time being and restrict it to your local network until several security fixes are released.
Editors' Recommendations
- Razer mice could give hackers wide-open local access to your Windows PC
- 5 lines of code allowed attackers to wipe tons of data from popular hard drive
- WD My Book Live owners need to act now to protect their data
- WhatsApp fixes bug that could have allowed hackers to read your desktop files
- Western Digital unveils iPhone backup station, home cloud storage device at IFA
