Backdoor and vulnerabilities found in WD MyCloud NAS devices

Another big leak, WD integrates a backdoor in their MyCloud NAS devices! Found by gulftech. The community seems really angry about it.

WD backdoor

Affected products

  • MyCloud <= 2.30.165
  • MyCloudMirror <= 2.30.165
  • My Cloud Gen 2
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud DL2100
  • My Cloud DL4100

"The D-Link DNS-320L had the same exact hard coded backdoor and same exact file upload vulnerability that was present within the WDMyCloud. So, it seems that the WDMyCloud software shares a large amount of the D-Link DNS-320L code, backdoor and all. There are also other undeniable examples such as misspelled function names and other anomalies that match up within both the WDMyCloud and the D-Link DNS-320L"

Not Vulnerable

  • MyCloud 04.X Series

Speculation

Generally when it’s something this obvious I think it’s a backdoor for debugging that got left in due to bad development practices. I think it can go the other way in a couple of cases though:

  1. WD (forced by a government) or its staff (by WD management) were ordered to put in the backdoor, but didn’t agree with doing so, thus made it obvious in the hopes that it would be found.
  2. A backdoor that is found but written off as sloppy development is less damaging than a bug that if found and analysed looks deliberate (because bad development practices are hardly new for hardware manufacturers). Potentially makes exploiting it less risky as well – if it’s an obvious or known thing, the attacker could be anyone. If it’s a subtle, undisclosed bug (that hasn’t been used against many targets), that suggests, to some extent, the involvement of whomever could arrange for the bug to be placed there.

It probably isn’t deliberate, but that possibility certainly isn’t excluded either, so I’d be cautious about treating this as a hard and fast rule.

Open questions

  •  How can we protect ourself against backdoored products that are covertly subsidized by governments?
  • This situation has been a problem for years now. What can be done? What regulation or law would help? What should we demand?
  • Any ideas on why WD and D-Link share the same hard coded user and password?

Alternatives

You could use FreeNAS and NextCloud. Some MyCloud devices can be modified to just run Debian. I treat my MyCloud as a cheap Linux box with lots of storage in a convenient form factor. If it weren’t for that, I’d just build a computer.

Advertisements

Comments are closed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: