Tuesday, January 9, 2018

In which I recommended a bad product

Last year ASM826 and I did a series of posts about backing up your data.  This is a critical (and often overlooked) security principle, and is important enough that there's a permanent link on the sidebar to the series.  In one of the posts (How to pick a storage device), I recommended a product: the Western Digital MyCloud storage device.

Well, oops:
Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital My Cloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files could be at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company apparently did nothing until November 2017.
Gah.  I'll spare you the gory details other than to say that Western Digital has clearly been asleep at the security switch multiple times.  This is a very bad vulnerability, it's one that can be exploited when you take your browser to a site hosting malicious javascript (i.e. pretty much anywhere), and it gives a Bad Guy complete access to all your data.

I sure as heck didn't know about this when I recommended the product.  Here is the list of products that have this bug:
  • MyCloud
  • MyCloudMirror
  • My Cloud Gen 2
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud DL2100
  • My Cloud DL4100
If you have any of these, you can get updated firmware via this page.

As to a recommended storage product, Western Digital is not anything that I can suggest you look into.  The bug never should have been in the code, but they were sloppy.  They should have fixed it months earlier than they did, but they seemingly didn't care.  Not a company I want to trust with my data.

Your mileage may vary, void where prohibited, do not remove tag under penalty of law.

8 comments:

ASM826 said...

This in no way negates the absolute need to back up any data you care about. Twice, in three places.

Arthur said...

I'm extremely dubious about anything with 'cloud' in the name unless they are actually talking about airborne water vapor.

SiGraybeard said...

I have one that I bought it in '14, long before your recommendation.

I don't use the WD software, but currently Cobian Backup. I assume I still need to do this software fix, but would appreciate your input.

Old NFO said...

Ouch is right... But how could you know?

Borepatch said...

ASM826, absolutely.

SiGraybeard, as I understand it this bug is in the firmware, so Cobian isn't keeping you safe. I'd think that updating the firmware is best.

Old NFO, I couldn't know. That's the joy of vulnerability disclosure. ;-)

Aaron de Bruyn said...

Recommend a FreeNAS by I systems. Great hardware, open source software.

Aaron de Bruyn said...

*ix systems

SiGraybeard said...

It took me most of the day to determine that the file won't run on my WD MyCloud. The linked file clearly says "WD has released new firmware for the second gen My Cloud units. "

Mine is old enough to be the first gen. I'm set for automatic updates, and it was telling me it had the latest version firmware, which agrees with their web site.