Category: IT|Jul 7, 2021 | Author: Admin

Found new bug: Could get full access to more Western Digital discs

Share on

Upgrade to a newer version, the company says.

Recently, we wrote about owners of Western Digital products who experienced that hackers broke in and restored the disks to factory settings, which resulted in them losing all data.

 

This was due to two separate vulnerabilities in My Book Live products, and it was speculated that several hacker groups had been involved. WD eventually said they would try to recover customers' lost data.

 

Now a new vulnerability has emerged, and this time it includes the much newer My Cloud devices. A video about the vulnerability was originally published as early as February, but has been brought out by security writer Brian Krebs in light of the MyBook Live hacking.

 

Be able to remotely update the firmware
It was security researchers Pedro Ribeiro and Radek Domanski who discovered that a chain of vulnerabilities caused an attacker to remotely update the firmware on Western Digital's My Cloud network drives, which is a much newer product type than the My Book Live devices that lost data.

 

With that, they could in practice install a "back door" and get full access to the device, thanks to the operating system My Cloud OS 3 had a standard user account with a blank password.

 

Ribeiro and Domanski were originally to participate with the discovery in a competition called Pwn2Own last year, where by documenting that one can hack into large systems, relatively large sums of money can be paid. In this year's edition, more than NOK 10 million was paid out.

 

Updated, but not everyone was happy
Just days before the competition was to take place, however, Western Digital released My Cloud OS 5, which closed the vulnerability they had found. Since then, the company has announced that they will not come with more updates to My Cloud OS 3, and recommends all customers to upgrade.

 

The "downside" is that OS 5 was a complete rebuild of the entire operating system.

 

- It ruined a lot of functionality. So some users may have decided not to migrate to OS 5, Domanski told Krebs.

 

A look at Western Digital's forums suggests that the user base on OS 3 is still significant, he says.

 

- We had no questions
Security researchers contacted Western Digital about the vulnerability, but never received a response.

 

- The communication that came to us confirmed that the research group involved planned to release details about the vulnerability and asked us to contact us if we had any questions. We had no questions, so we did not answer, says Western Digital to Krebs.

 

However, they say that they have updated the routines afterwards, and that they now respond to all reports to avoid misunderstandings.

 

To Engadget, the company says that there is a fix for the vulnerability - to upgrade to OS 5.

 

- My Cloud OS 5 is a major security update that provides an architectural overhaul of our older My Cloud firmware. All My Cloud products that are under active customer support are eligible for the My Cloud OS 5 upgrade, and we recommend that all users upgrade as soon as possible to take advantage of the latest security fixes, they say.

 

Disconnect from the internet
If you have a WD MyCloud device with OS 3 and do not want or can not upgrade to OS 5, a possible and relatively simple solution is to deactivate remote access to the devices, in practice to disconnect them from the internet.

 

If you are a little code-savvy, Ribeiro and Domanski have also created their own script that fixes the vulnerability, but it has the disadvantage that it has to be run again every time the device restarts.

Sponsored Ads:

Comments:


New Windows 11 test hides something Microsoft has not touched in decades

Category: Microsoft|Jan 23, 2022 | Author: Admin

MediaTek shows the world’s first live demos of Wi-Fi 7 technology

Category: IT|Jan 22, 2022 | Author: Admin

iOS 15-hole leaked private Apple ID data to third-party apps

Category: Apple|Jan 21, 2022 | Author: Admin

Had to crisis-postpone new 5G standard in the US to avoid plane chaos

Category: IT|Jan 20, 2022 | Author: Admin

No one found out that the iPhone 13 is missing this until now

Category: Apple|Jan 19, 2022 | Author: Admin

Safari leaks your browser history

Category: General|Jan 18, 2022 | Author: Admin

Chromium Trouble - Can't change default search engine anymore

Category: Google|Jan 17, 2022 | Author: Admin

Here, developers are allowed by Apple to offer alternative payment methods

Category: Apple|Jan 16, 2022 | Author: Admin

Microsoft refuses to correct the error - took matters into its own hands

Category: Microsoft|Jan 15, 2022 | Author: Admin

Now Meta gets the authorities on its neck, again

Category: General|Jan 14, 2022 | Author: Admin

Has invested heavily in podcasts - now Spotify is closing down the studio

Category: General|Jan 13, 2022 | Author: Admin

Claims HomePod mini is on its way to Norway

Category: General|Jan 12, 2022 | Author: Admin

Linux gets the function everyone wants

Category: IT|Jan 11, 2022 | Author: Admin

Flasher RTX 3080 Ti with 3090 BIOS for extra efficient Ethereum mining

Category: General|Jan 10, 2022 | Author: Admin

Dice continues to destroy for himself: removed favorite from Battlefield 2042

Category: General|Jan 9, 2022 | Author: Admin
more