Western Digital removes hard-coded backdoor from personal cloud drives

Owners of Western Digital My Cloud should make sure they’ve downloaded the most recent security patches after a hard-coded backdoor was recently discovered on the product.

Researcher James Bercegay discovered and disclosed last Wednesday a username and password that gives users admin privileges to a dozen Western Digital models. He urges users to upgrade firmware to version 2.30.174.

The problems were reported to Western Digital last year and a patch has since removed the back door. The more fundamental question — why was there a backdoor in the first place? — remains unanswered by the company despite repeated inquiries from CyberScoop.

“This is a classic backdoor,” Bercegay wrote in a blog post outlining the problems with also included pre-authenticated remote root code execution essentially allowing complete takeover of the device.

“The triviality of exploiting this issues makes it very dangerous, and even wormable,” the researcher wrote. “Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag makes a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as ‘wdmycloud’ and ‘wdmycloudmirror’ etc.”

Western Digital shared firmware code and the accompanying backdoor with the D-Link DNS-320L ShareCenter. D-Link, however, removed the backdoor four years ago.