Category: IT|Jul 7, 2021 | Author: Admin

Found new bug: Could get full access to more Western Digital discs

• WD
• western digital
• update
• remote
• permalink

Share on

 Facebook |  Twitter |  LinkedIn |  Reddit

Upgrade to a newer version, the company says.

Recently, we wrote about owners of Western Digital products who experienced that hackers broke in and restored the disks to factory settings, which resulted in them losing all data.

 

This was due to two separate vulnerabilities in My Book Live products, and it was speculated that several hacker groups had been involved. WD eventually said they would try to recover customers' lost data.

 

Now a new vulnerability has emerged, and this time it includes the much newer My Cloud devices. A video about the vulnerability was originally published as early as February, but has been brought out by security writer Brian Krebs in light of the MyBook Live hacking.

 

Be able to remotely update the firmware
It was security researchers Pedro Ribeiro and Radek Domanski who discovered that a chain of vulnerabilities caused an attacker to remotely update the firmware on Western Digital's My Cloud network drives, which is a much newer product type than the My Book Live devices that lost data.

 

With that, they could in practice install a "back door" and get full access to the device, thanks to the operating system My Cloud OS 3 had a standard user account with a blank password.

 

Ribeiro and Domanski were originally to participate with the discovery in a competition called Pwn2Own last year, where by documenting that one can hack into large systems, relatively large sums of money can be paid. In this year's edition, more than NOK 10 million was paid out.

 

Updated, but not everyone was happy
Just days before the competition was to take place, however, Western Digital released My Cloud OS 5, which closed the vulnerability they had found. Since then, the company has announced that they will not come with more updates to My Cloud OS 3, and recommends all customers to upgrade.

 

The "downside" is that OS 5 was a complete rebuild of the entire operating system.

 

- It ruined a lot of functionality. So some users may have decided not to migrate to OS 5, Domanski told Krebs.

 

A look at Western Digital's forums suggests that the user base on OS 3 is still significant, he says.

 

- We had no questions
Security researchers contacted Western Digital about the vulnerability, but never received a response.

 

- The communication that came to us confirmed that the research group involved planned to release details about the vulnerability and asked us to contact us if we had any questions. We had no questions, so we did not answer, says Western Digital to Krebs.

 

However, they say that they have updated the routines afterwards, and that they now respond to all reports to avoid misunderstandings.

 

To Engadget, the company says that there is a fix for the vulnerability - to upgrade to OS 5.

 

- My Cloud OS 5 is a major security update that provides an architectural overhaul of our older My Cloud firmware. All My Cloud products that are under active customer support are eligible for the My Cloud OS 5 upgrade, and we recommend that all users upgrade as soon as possible to take advantage of the latest security fixes, they say.

 

Disconnect from the internet
If you have a WD MyCloud device with OS 3 and do not want or can not upgrade to OS 5, a possible and relatively simple solution is to deactivate remote access to the devices, in practice to disconnect them from the internet.

 

If you are a little code-savvy, Ribeiro and Domanski have also created their own script that fixes the vulnerability, but it has the disadvantage that it has to be run again every time the device restarts.

Comments: