Category: IT|Jul 7, 2021 | Author: Admin

Found new bug: Could get full access to more Western Digital discs

Share on

Upgrade to a newer version, the company says.

Recently, we wrote about owners of Western Digital products who experienced that hackers broke in and restored the disks to factory settings, which resulted in them losing all data.

 

This was due to two separate vulnerabilities in My Book Live products, and it was speculated that several hacker groups had been involved. WD eventually said they would try to recover customers' lost data.

 

Now a new vulnerability has emerged, and this time it includes the much newer My Cloud devices. A video about the vulnerability was originally published as early as February, but has been brought out by security writer Brian Krebs in light of the MyBook Live hacking.

 

Be able to remotely update the firmware
It was security researchers Pedro Ribeiro and Radek Domanski who discovered that a chain of vulnerabilities caused an attacker to remotely update the firmware on Western Digital's My Cloud network drives, which is a much newer product type than the My Book Live devices that lost data.

 

With that, they could in practice install a "back door" and get full access to the device, thanks to the operating system My Cloud OS 3 had a standard user account with a blank password.

 

Ribeiro and Domanski were originally to participate with the discovery in a competition called Pwn2Own last year, where by documenting that one can hack into large systems, relatively large sums of money can be paid. In this year's edition, more than NOK 10 million was paid out.

 

Updated, but not everyone was happy
Just days before the competition was to take place, however, Western Digital released My Cloud OS 5, which closed the vulnerability they had found. Since then, the company has announced that they will not come with more updates to My Cloud OS 3, and recommends all customers to upgrade.

 

The "downside" is that OS 5 was a complete rebuild of the entire operating system.

 

- It ruined a lot of functionality. So some users may have decided not to migrate to OS 5, Domanski told Krebs.

 

A look at Western Digital's forums suggests that the user base on OS 3 is still significant, he says.

 

- We had no questions
Security researchers contacted Western Digital about the vulnerability, but never received a response.

 

- The communication that came to us confirmed that the research group involved planned to release details about the vulnerability and asked us to contact us if we had any questions. We had no questions, so we did not answer, says Western Digital to Krebs.

 

However, they say that they have updated the routines afterwards, and that they now respond to all reports to avoid misunderstandings.

 

To Engadget, the company says that there is a fix for the vulnerability - to upgrade to OS 5.

 

- My Cloud OS 5 is a major security update that provides an architectural overhaul of our older My Cloud firmware. All My Cloud products that are under active customer support are eligible for the My Cloud OS 5 upgrade, and we recommend that all users upgrade as soon as possible to take advantage of the latest security fixes, they say.

 

Disconnect from the internet
If you have a WD MyCloud device with OS 3 and do not want or can not upgrade to OS 5, a possible and relatively simple solution is to deactivate remote access to the devices, in practice to disconnect them from the internet.

 

If you are a little code-savvy, Ribeiro and Domanski have also created their own script that fixes the vulnerability, but it has the disadvantage that it has to be run again every time the device restarts.

Sponsored Ads:

Comments:


Locked out 8 million Telegram users, then this happened

Category: IT|Mar 28, 2024 | Author: Admin

Mac update fixes important bugs

Category: Apple|Mar 27, 2024 | Author: Admin

The Windows Format Dialog Remains Unchanged After 30 Years

Category: Microsoft|Mar 26, 2024 | Author: Admin

Google's new AI search results promotes sites pushing malware, scams

Category: Google|Mar 25, 2024 | Author: Admin

YouTube ordered not to talk about it

Category: IT|Mar 24, 2024 | Author: Admin

It became too difficult for Apple

Category: Apple|Mar 23, 2024 | Author: Admin

Windows 11 Notepad finally gets spellcheck and autocorrect

Category: Microsoft|Mar 22, 2024 | Author: Admin

This is how Android 15 gets better

Category: Google|Mar 21, 2024 | Author: Admin

Warns Apple

Category: Apple|Mar 20, 2024 | Author: Admin

Microsoft again bothers Chrome users with Bing popup ads in Windows

Category: Microsoft|Mar 19, 2024 | Author: Admin

Increased by 164 percent

Category: IT|Mar 18, 2024 | Author: Admin

Anthropic launches its fastest and cheapest AI model yet

Category: IT|Mar 17, 2024 | Author: Admin

What is Darwin AI and how could Apple use its new tech?

Category: Apple|Mar 16, 2024 | Author: Admin

DO NOT update Minecraft!

Category: IT|Mar 15, 2024 | Author: Admin

Did you experience the problem? Now it is fixed

Category: Microsoft|Mar 14, 2024 | Author: Admin
more