Category: IT|Jul 7, 2021 | Author: Admin

Found new bug: Could get full access to more Western Digital discs

Share on

Upgrade to a newer version, the company says.

Recently, we wrote about owners of Western Digital products who experienced that hackers broke in and restored the disks to factory settings, which resulted in them losing all data.

 

This was due to two separate vulnerabilities in My Book Live products, and it was speculated that several hacker groups had been involved. WD eventually said they would try to recover customers' lost data.

 

Now a new vulnerability has emerged, and this time it includes the much newer My Cloud devices. A video about the vulnerability was originally published as early as February, but has been brought out by security writer Brian Krebs in light of the MyBook Live hacking.

 

Be able to remotely update the firmware
It was security researchers Pedro Ribeiro and Radek Domanski who discovered that a chain of vulnerabilities caused an attacker to remotely update the firmware on Western Digital's My Cloud network drives, which is a much newer product type than the My Book Live devices that lost data.

 

With that, they could in practice install a "back door" and get full access to the device, thanks to the operating system My Cloud OS 3 had a standard user account with a blank password.

 

Ribeiro and Domanski were originally to participate with the discovery in a competition called Pwn2Own last year, where by documenting that one can hack into large systems, relatively large sums of money can be paid. In this year's edition, more than NOK 10 million was paid out.

 

Updated, but not everyone was happy
Just days before the competition was to take place, however, Western Digital released My Cloud OS 5, which closed the vulnerability they had found. Since then, the company has announced that they will not come with more updates to My Cloud OS 3, and recommends all customers to upgrade.

 

The "downside" is that OS 5 was a complete rebuild of the entire operating system.

 

- It ruined a lot of functionality. So some users may have decided not to migrate to OS 5, Domanski told Krebs.

 

A look at Western Digital's forums suggests that the user base on OS 3 is still significant, he says.

 

- We had no questions
Security researchers contacted Western Digital about the vulnerability, but never received a response.

 

- The communication that came to us confirmed that the research group involved planned to release details about the vulnerability and asked us to contact us if we had any questions. We had no questions, so we did not answer, says Western Digital to Krebs.

 

However, they say that they have updated the routines afterwards, and that they now respond to all reports to avoid misunderstandings.

 

To Engadget, the company says that there is a fix for the vulnerability - to upgrade to OS 5.

 

- My Cloud OS 5 is a major security update that provides an architectural overhaul of our older My Cloud firmware. All My Cloud products that are under active customer support are eligible for the My Cloud OS 5 upgrade, and we recommend that all users upgrade as soon as possible to take advantage of the latest security fixes, they say.

 

Disconnect from the internet
If you have a WD MyCloud device with OS 3 and do not want or can not upgrade to OS 5, a possible and relatively simple solution is to deactivate remote access to the devices, in practice to disconnect them from the internet.

 

If you are a little code-savvy, Ribeiro and Domanski have also created their own script that fixes the vulnerability, but it has the disadvantage that it has to be run again every time the device restarts.

Sponsored Ads:

Comments:


USA bans Kaspersky antivirus

Category: IT|Jun 21, 2024 | Author: Admin

Google is canceling cheap YouTube Premium subs obtained via VPN

Category: Google|Jun 20, 2024 | Author: Admin

That's why Apple limits "AI" to the iPhone 15 Pro - EU NOT happy with the App Store

Category: Apple|Jun 19, 2024 | Author: Admin

"Apple has canceled the Vision Pro 2" - something exciting could happen in 2025

Category: IT|Jun 18, 2024 | Author: Admin

Just Don't Ask Nintendo About 'Switch 2'

Category: General|Jun 17, 2024 | Author: Admin

Adobe to adapt terms of service on gen AI training after customer backlash

Category: IT|Jun 16, 2024 | Author: Admin

Microsoft delivers a light Patch Tuesday for June

Category: Microsoft|Jun 15, 2024 | Author: Admin

Ending Android after 14 years

Category: Google|Jun 14, 2024 | Author: Admin

Apple pays nothing

Category: Apple|Jun 13, 2024 | Author: Admin

Netgear WNR614 flaws allow device takeover, no fix available

Category: IT|Jun 12, 2024 | Author: Admin

Malicious VSCode extensions with millions of installs discovered

Category: Microsoft|Jun 11, 2024 | Author: Admin

Brave says May 2024 was its biggest growth month ever

Category: IT|Jun 10, 2024 | Author: Admin

The speedometer can disappear - now in crisis Volvo is updating over 70,000 cars

Category: IT|Jun 9, 2024 | Author: Admin

LastPass says 12-hour outage caused by bad Chrome extension update

Category: IT|Jun 8, 2024 | Author: Admin

Netflix is ‚Äč‚Äčtesting big changes

Category: General|Jun 7, 2024 | Author: Admin
more