Western Digital My Cloud Experiences Yet Another Breach

Western Digital’s My Cloud Network is down again after some sort of network breach. According to a Western Digital press release,

On March 26, 2023, Western Digital identified a network security incident involving Western Digital’s systems. In connection with the ongoing incident, an unauthorized third party gained access to a number of the Company’s systems.

Upon discovery of the incident, the Company implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts. This investigation is in its early stages and Western Digital is coordinating with law enforcement authorities.

I am actually legitimately impressed that Western Digital continues to attract customers to its My Cloud offerings, given that issues like this are fairly routine for the company and service.

Back in 2018, for example, security researchers discovered that My Cloud devices had a hard-coded backdoor in them and many other vulnerabilities.

GulfTech also discovered a backdoor that bears the admin username ‘mydlinkBRionyg’ and password ‘abc12345cba.’ Anyone can just log into My Cloud devices with the said credentials, which were hardcoded into the binary and cannot be changed. This backdoor access can also allow malicious actors to access code that is vulnerable to command injection. It can spawn a root shell as well.

In 2021, hackers found a vulnerability in older My Cloud OS 3 devices that allowed them to remotely wipe Western Digital My Book Live devices after someone at Western Digital removed code that required a password to do a factory reset of the devices.

To add insult to injury, Western Digital’s response was to announce that the fix for this problem was for people to buy new devices that supported My Cloud OS 5. According to an Engadget story,

When Engadget reached out to Western Digital, a spokesperson for the company told us there is a fix for this vulnerability — we ‘patched’ OS3 with OS 5.” They added: “My Cloud OS 5 is a major security release that provides an architectural revamp of our older My Cloud firmware. All My Cloud products currently under active support are eligible for the My Cloud OS 5 upgrade and we recommend that all users upgrade as soon as possible to benefit from the latest security fixes.

In March 2022, Western Digital had to release a patch for My Cloud after a supply chain vulnerability left devices open to remote code execution. But the problems went well beyond supply chain issues.

To make matters worse, Western Digital PR4100 had a public AFP share by default, which was available to the hackers without requiring user authentication.

Look, Western Digital has no clue what it is doing with security in My Cloud. No one who cares about their data should ever use this product.

Leave a Reply