Just one week after software vulnerabilities left WD My Book Live users with hacked and formatted storage drives, a newly discovered exploit is threatening Western Digital’s My Cloud devices. This exploit, which allows hackers to carry out commands or brick My Cloud NAS units, affects all products running the Cloud OS 3 software, of which there are many.
Researchers Radek Domanski and Pedro Ribeiro discovered that they could remotely access a My Cloud 3 device by pumping it with modified firmware. This isn’t a very difficult task—yes, Cloud OS 3 devices require login credentials to perform a firmware update, but Domanski and Ribeiro found that some WD NAS devices contain a hidden user that isn’t protected by a password.
Now, it’s worth mentioning that WD’s Cloud OS 3 is an outdated operating system. Most people using Western Digital NAS units have the option to update to Cloud OS 5, which defends against several “classes of attacks,” according to Western Digital.
Western Digital advises all of its customers to update to the Cloud OS 5 operating system, as it should. But many refuse to upgrade because Cloud OS 5 is missing features that are available in Cloud OS 3, including the ability to manage files across different NAS devices.
Customers may have bought their My Cloud NAS unit for features that are missing in Cloud OS 5, so you can’t blame them for refusing to upgrade. On the other hand, you can blame Western Digital for not sending out security patches for Cloud OS 3. Not only do some customers prefer the older OS, but devices like the MyCloud EX2 and EX4 cannot update to the newer Cloud OS 5.
If you own a NAS device running Cloud OS 3, you should probably bite the bullet, upgrade to the new OS, and create an extra backup for your data just in case something bad happens. Western Digital clearly can’t be trusted to take device security seriously, and hackers are likely searching for new ways to gain control over Western Digital NAS units.
Source: Krebs on Security via The Verge
