Security warning for WD MyCloud: The devices are insecure, here are the alternatives
12.1.2018
Translation: machine translated
The simple storage solutions for home users from Western Digital are insecure. Anyone can gain access to your data with a simple trick. The case shows how well hackers and companies can work together.
Western Digital, or WD for short, manufactures hard drives and storage solutions that are designed to offer security and convenience for home users. This puts the manufacturer in a constant clinch with the information security scene, as loud voices from said scene are convinced that security and convenience are incompatible. Anyone who thinks about this argument for two seconds will realise that it is completely defeatist nonsense, but nevertheless. Loud is loud.
Be that as it may, James Bercegay of GulfTech Research and Development has taken a closer look at the WD MyClouds code. He found serious security vulnerabilities. But this is nothing new. James already discovered the gap in October last year. In his advisory, he describes in the timeline how the so-called disclosure took place.
But first: If you own or want to buy one of the following devices, you are at risk.
How hackers cooperate with companies
On 6 October 2017, James discovered the vulnerabilities. He immediately reported them to the manufacturer. "Contacted the manufacturer via the contact form on the website," writes the information security researcher. Two days later, he received a reply telling him to report his findings to the Product Security Incident Response Team (PSIRT). He did so immediately.
The PSIRT then checked and confirmed the gaps at WD independently of the hacker's findings. Samuel Brown from WD contacted James one day later, on 13 October. Samuel confirmed that the gaps were real. Three days later, the manufacturer contacted James again.
Western Digital and James Bercegay agreed on the Responsible Disclosure model. This means that InfoSec and the manufacturer agree on a deadline. During this period, the hacker remains silent and the manufacturer attempts to fix the vulnerabilities on the software side.
From 16 October, Western Digital has 90 days until James makes his findings public. But on 15 December, hacker Zenofex from Exploitee.rs goes public with the same findings. He knows nothing about the deadline and, according to all reports, does not contact Western Digital. He chooses the path of full disclosure. He publishes all data of the vulnerabilities and the exploit online. We can only speculate about the reasons. Full disclosure is used when information security researchers want to put pressure on a manufacturer. This is because if the manufacturer does not want to fix a vulnerability, it can keep the gaps secret as long as nobody says anything publicly.
After 79 days, however, i.e. before the deadline, James Bercegay makes his findings public, probably because Western Digital has published a software update that fixes the vulnerabilities. Whether James received a bug bounty, i.e. money for discovering the vulnerability, is unknown.
The vulnerabilities in detail
James' findings are quite something. They do not paint a particularly good picture of software version 2.30.165 or older. He has identified the following bugs
- Pre Auth Remote Root Code Execution: A hacker can execute code with administrator rights on the device even before having to log in with username and password
- Hardcoded Admin Credentials: An administrator password is permanently stored in the code of the WD software, which the user cannot change. The password is available in plain text .
Pre Auth Remote Code Execution is not just a vulnerability, but a chain of several gaps, code elements and the manipulation of requests. The combination of all these actions leads to a user being able to execute commands on the WD MyClouds without being able to log in to the device.
The term Pre Auth Remote Code Execution is also a concatenation of descriptors.
- Pre Auth: Pre Authentication, i.e. before authentication
- Remote: From an external location
- Code Execution: Any code can be executed
This means that an attacker can execute arbitrary programme commands from any location without knowing the username and password. All in all, this is something you certainly don't want.
The hardcoded admin credentials are most likely something left over from the development of the software. Programmers sometimes hardcode credentials into a programme to make their development work easier. This allows them to work faster and more efficiently, even if it is totally insecure. Security does not have to be guaranteed in the development phase, as the product is not yet on the market. The idea is that these access points are removed from the code once the work is complete.
The removal part has been lost in the case of Western Digital's MyCloud products. Therefore, you can easily log in to pretty much any device with the following data.
- Username: mydlinkBRionyg
- Password: abc12345cba
You cannot change this data, let alone access it.
What can I do? Am I doomed now?!
You have a WD MyCloud at home. Well, then you have a problem. Not a huge one, but a problem. The solution to the problem is simple: update the software. Because thanks to Responsible Disclosure, Western Digital was able to fix the problem before it was publicised and possibly widely exploited.
All you need to do is update your MyCloud software to a version higher than 2.30.165. A spot check for the EX-4 series devices shows that the current software at the time of writing is version 2.30.174.
If you are fed up with WD and want a different NAS, our product management team recommends the following models:
Something about the threat situation in general. Of course, there are always vulnerabilities in devices in your home. That's not going to change any time soon. But you're not in any immediate danger. The reason is that you are most likely not a person of major global interest. You might have a few holiday photos and some music.
But you're not Scarlett Johansson or Charlie Hunnam, who might have naked pictures of themselves on MyCloud. Nor are you a large corporation that has important business secrets on the WD MyCloud. And anyway, if you own a company and store all your data on a WD MyCloud, you're basically doing something wrong.
But that doesn't mean you shouldn't care about your security. The remote code execution on your NAS could be used as an attack platform for another hack. Or someone could slip data into your hands, simply so that it is safely stored on a Swiss server.
So, that's it. Stay updated and stay safe!
Journalist. Author. Hacker. A storyteller searching for boundaries, secrets and taboos – putting the world to paper. Not because I can but because I can’t not.
38 comments
later