More security vulnerabilities have been found in a number of MyCloud storage devices from Western Digital. And the company behind the claims have suggested that, despite contacting Western Digital more than six months the company has done nothing about them.
The newly disclosed vulnerabilities from Gulftech Research and Development's James Bercegay adds to the 85 vulnerabilities uncovered last year.
Western Digital had asked Bercegay to wait 90 days for them to act before disclosing, this being considered a fair and reasonable grace period in the industry, but when in mid-December no patches had been issued and another site showed a full description of one of the exploits, he made the decision to go public.
In January, the full list of exploits was revealed, affecting the following WD models:
- My Cloud Gen 2;
- My Cloud PR2100;
- My Cloud PR4100;
- My Cloud EX2 Ultra;
- My Cloud EX2;
- My Cloud EX4;
- My Cloud EX2100;
- My Cloud EX4100;
- My Cloud DL2100; and,
- My Cloud DL4100.
The most recent model, the MyCloud Home, is not included on this list and we're checking with Western Digital as to whether it is part of the rogue's gallery. The MyCloud 04.X and MyCloud 2.30.174 firmware are listed as not affected so we suspect not - the listed models are older ones that haven't been updated as recently.
Weirdly, the issue stems from a password from another vendor - D-Link which has remained hardwired into firmware. The username mydlinkBRionyg and a very guessable password will give you root access.
Although D-Link is better known for security cameras and networking, it does white label NAS devices and it appears that WD uses them in whole or in part.
What's more worrying is that this isn't just about backing up your holiday snaps - the same ranges also include small and medium business models, which could mean your personal data as a customer.
The important bit is that upgrading the firmware, if possible, will solve the problem. But with something quite this serious, the normal thing would be for WD to force the issue with a big song and dance to boot. The fact that it so far hasn't is the major cause for concern.
Connexin drops out of Ofcom auction due to start next week
SwiftKey users now send two billion emoji every week
Recruitment plans are 'most ambitious ever', claims Openreach HR director Kevin Brady
Samsung's under-the-hood improvements separate the S9 from the pack when it comes to the display