Another day, another WD security flaw

After a security vulnerability led to some WD NAS owners having their data wiped, a new vulnerability has been discovered in more of WD’s devices (via KrebsOnSecurity). The vulnerability, discovered by security researchers Pedro Ribeiro and Radek Domanski, is seemingly present on Cloud OS 3 devices and not on the newer Cloud OS 5, which WD recently released as an update. The problem is that, according to Ribeiro and Domanski, many of WD’s users don’t like the new version. That’s because it’s missing certain functions and features that were available in Cloud OS 3. WD has said it won’t be updating Cloud OS 3 with security patches.

There’s also the possibility that some users won’t be able to upgrade to Cloud OS 5. According to WD’s supported devices page, the updated software isn’t available for the MyCloud EX2, EX4, or certain versions of the My Cloud and My Cloud Mirror.

If you own a device that can’t be updated to Cloud OS 5, WD’s advice is to upgrade to one that can. The other option, according to a statement WD gave to Comparitech last year, is to turn off remote dashboard access to the device.

The researchers found that they could get into a Cloud OS 3 device by remotely updating it with modified firmware. The firmware update functionality is meant to be accessible only to authenticated users, but they were able to get around that because the NAS seemingly has a user on it with a blank password, which they were able to use to authenticate in some cases.

Their version of the exploit allows them to carry out commands on the NAS, but other versions could be used for any number of nefarious purposes. Also, because the hack exploits the firmware update function, a hacker could purposefully or even accidentally brick the device. The researchers have built their own custom security patch, but it has to be re-applied to the device every time it reboots. You can see more details about it in a video they made explaining the exploit.

While the vulnerability found by the researchers seems especially egregious, it may not be the only one out there — WD’s post recommending people upgrade to Cloud OS 5 says that it defends against entire classes of attacks. With that in mind, if you own a device that can’t run the new OS, it’s probably time to think about an upgrade, either to one of WD’s new devices, or to another NAS option.

Leave a Comment