Skip to main content

Your data in Western Digital cloud storage devices may still be vulnerable

Your data in Western Digital cloud storage devices may still be vulnerable

/

The devices allow remote backdoor admin access among other security concerns

Share this story

Digital lock (Shutterstock)

Western Digital’s cloud storage devices are still vulnerable to security flaws despite patches issued to fix the bugs, the company has said in a blog post. According to the firm, future updates are being planned to patch the affected products, although it’s unclear how many problems are still outstanding.

Vulnerabilities were found in 12 of WD’s devices and first outlined in a blog post by security firm GulfTech. GulfTech noted that a number of WD devices allow remote backdoor admin access through the username “mydlinkBRionyg” and password “abc12345cba”. Gulftech also outlines a file upload flaw within the devices that would allow potential hackers to gain remote access. In addition to this, the devices are also susceptible to command injection issues, denial of service attacks, and information dumps.

GulfTech contacted Western Digital about the vulnerabilities in June last year, and the company requested 90 days until full disclosure to the public. It released some firmware updates for devices in November resolving “critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass.” But the post from GulfTech says it hasn’t tested the patches Western Digital have released, and notes that users report that “some vulnerabilities still remain.”

To stay safe, WD says My Cloud owners should disable the Dashboard Cloud access and disable any port-forwarding functions. The company says a future update will address device exploitation by a hacker with access to the owner’s local network, or if the user has enabled certain My Cloud settings. “Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover,” the company said.

Western Digital’s My Cloud network attached storage (NAS) devices allow users to store files locally as well access them via the web. These devices are used primarily in homes and small businesses. We’ve contacted Western Digital for comment and will update this story when we hear back. The models that currently offer Dashboard Cloud Access and are affected by the vulnerability include:

  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud EX2 Ultra
  • My Cloud DL2100
  • My Cloud DL4100
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud Mirror
  • My Cloud Mirror Gen 2