Category: IT|Jul 7, 2021 | Author: Admin

Found new bug: Could get full access to more Western Digital discs

Share on

Upgrade to a newer version, the company says.

Recently, we wrote about owners of Western Digital products who experienced that hackers broke in and restored the disks to factory settings, which resulted in them losing all data.

 

This was due to two separate vulnerabilities in My Book Live products, and it was speculated that several hacker groups had been involved. WD eventually said they would try to recover customers' lost data.

 

Now a new vulnerability has emerged, and this time it includes the much newer My Cloud devices. A video about the vulnerability was originally published as early as February, but has been brought out by security writer Brian Krebs in light of the MyBook Live hacking.

 

Be able to remotely update the firmware
It was security researchers Pedro Ribeiro and Radek Domanski who discovered that a chain of vulnerabilities caused an attacker to remotely update the firmware on Western Digital's My Cloud network drives, which is a much newer product type than the My Book Live devices that lost data.

 

With that, they could in practice install a "back door" and get full access to the device, thanks to the operating system My Cloud OS 3 had a standard user account with a blank password.

 

Ribeiro and Domanski were originally to participate with the discovery in a competition called Pwn2Own last year, where by documenting that one can hack into large systems, relatively large sums of money can be paid. In this year's edition, more than NOK 10 million was paid out.

 

Updated, but not everyone was happy
Just days before the competition was to take place, however, Western Digital released My Cloud OS 5, which closed the vulnerability they had found. Since then, the company has announced that they will not come with more updates to My Cloud OS 3, and recommends all customers to upgrade.

 

The "downside" is that OS 5 was a complete rebuild of the entire operating system.

 

- It ruined a lot of functionality. So some users may have decided not to migrate to OS 5, Domanski told Krebs.

 

A look at Western Digital's forums suggests that the user base on OS 3 is still significant, he says.

 

- We had no questions
Security researchers contacted Western Digital about the vulnerability, but never received a response.

 

- The communication that came to us confirmed that the research group involved planned to release details about the vulnerability and asked us to contact us if we had any questions. We had no questions, so we did not answer, says Western Digital to Krebs.

 

However, they say that they have updated the routines afterwards, and that they now respond to all reports to avoid misunderstandings.

 

To Engadget, the company says that there is a fix for the vulnerability - to upgrade to OS 5.

 

- My Cloud OS 5 is a major security update that provides an architectural overhaul of our older My Cloud firmware. All My Cloud products that are under active customer support are eligible for the My Cloud OS 5 upgrade, and we recommend that all users upgrade as soon as possible to take advantage of the latest security fixes, they say.

 

Disconnect from the internet
If you have a WD MyCloud device with OS 3 and do not want or can not upgrade to OS 5, a possible and relatively simple solution is to deactivate remote access to the devices, in practice to disconnect them from the internet.

 

If you are a little code-savvy, Ribeiro and Domanski have also created their own script that fixes the vulnerability, but it has the disadvantage that it has to be run again every time the device restarts.

Sponsored Ads:

Comments:


TEST

Microsoft 365 Copilot rollout set for Nov. 1

Category: Microsoft|Sep 27, 2023 | Author: Admin

Google US antitrust trial: A timeline

Category: Google|Sep 26, 2023 | Author: Admin

Changes color when you touch it

Category: Apple|Sep 25, 2023 | Author: Admin

Ridicules Apple and the iPhone

Category: IT|Sep 24, 2023 | Author: Admin

The iPhone will get this later this year

Category: Apple|Sep 23, 2023 | Author: Admin

You should now launch Steam

Category: General|Sep 22, 2023 | Author: Admin

You need to update again

Category: Apple|Sep 21, 2023 | Author: Admin

Be warned before you make the big mistake

Category: General|Sep 20, 2023 | Author: Admin

“We were bullied by Apple”

Category: Apple|Sep 19, 2023 | Author: Admin

We weren't supposed to know this

Category: Microsoft|Sep 18, 2023 | Author: Admin

Apple's clever trick

Category: Apple|Sep 17, 2023 | Author: Admin

Price cut

Category: IT|Sep 16, 2023 | Author: Admin

Sold out

Category: Apple|Sep 15, 2023 | Author: Admin

What Apple has done is bizarre

Category: Apple|Sep 14, 2023 | Author: Admin

Ban iPhone 12

Category: Apple|Sep 13, 2023 | Author: Admin
more