Security researcher James Bercegay found a glaring security hole in the Western Digital MyCloud family of storage devices back in June 2017.
He discovered that, amongst other vulnerabilities, a hidden firmware backdoor allowed anyone to login remotely, using the username mydlinkBRionyg, and the somewhat underwhelming password abc12345cba.
Which is really rather handy I have to admit, especially if you’re the kind of person who finds remembering passwords a right royal pain in the backside and want to access your personal stored files while you’re away from home.
What isn’t quite so marvellous is that, sadly, someone might use the same credentials (and yes, they are apparently the same on all affected WD devices) to log into your personal files remotely. In fact, the existence of default login credentials could even be used in a Mirai-style attack.
The following Western Digital devices are said to be vulnerable:
- My Cloud
- My Cloud Mirror
- My Cloud Gen 2
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX2 Ultra
- My Cloud EX2
- My Cloud EX4
- My Cloud EX2100
- My Cloud EX4100
- My Cloud DL2100
- My Cloud DL4100
Like any good vulnerability researcher, Bercegay informed the vendor about the problem, and Western Digital requested that he wait 90 days before publicly disclosing the flaw, giving them time to fix it.
Unfortunately, after six months, Western Digital still hadn’t issued any fixes. So, now we all know about it.
And that seems to have – finally – stirred Western Digital into action. Customers are advised to install firmware version 2.30.174 to remove the bonkers backdoor.
Regular readers will note that this isn’t the first time that WD My Cloud devices have been found to contain concerning vulnerabilities.