Western Digital Promises My Cloud HDD Updates To Address Lingering Remote Backdoor Vulnerability
We are big fans of network attached storage (NAS) solutions, which in recent years have become far more sophisticated and capable. Western Digital's My Cloud products have generally been a solid option in the NAS arena. Unfortunately, it was recently discovered that several My Cloud devices were susceptible to a backdoor vulnerability that could allow an attacker to gain unauthorized root access. Fortunately, WD is working to resolve the issue.
WD acknowledged the security holes in a blog post, saying that critical issues that were brought up in some recent articles were addressed last year with firmware update version 2.30.172 and above. As for the other issues, WD said it will address them in future updates.
"One of those issues currently being addressed for a future update is that certain My Cloud models (only with firmware versions 2.xx but not My Cloud Home) with default settings could be exploited by a sophisticated hacker in the unlikely event such hacker has access to the owner’s local network; or, if the My Cloud owner has enabled Dashboard Cloud Access (certain models*) or enabled additional port forwarding to such My Cloud devices," WD said.
WD did not say when exactly it will push another update, but in the meantime, the company "strongly" recommends that My Cloud owners who made the above changes disable the Dashboard Cloud Access, and also ensure that their router and My Cloud device are secure by disabling port-forwarding functionalities. Anyone affected should also restrict local network guest access only to people they trust.
"As a reminder, we urge customers to ensure the firmware on their products is always up to date; enabling automatic updates is recommended. We also urge you to implement sound data protection practices such as regular data backups and password protection, including to secure your router when you use a personal cloud or network-attached storage device," WD added.
There are nearly a dozen My Cloud models affected, including the My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100,My Cloud EX2 Ultra, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100, My Cloud PR4100, My Cloud Mirror, and My Cloud Mirror Gen 2.