A number of Western Digital cloud storage devices have been found to be vulnerable, despite the company issuing patches in an attempt to fix the problem, leading to many in the industry to criticise them.
Twelve of Western Digital’s devices were found to be at risk, originally reported by security firm GulfTech. They found that a specific username and password combination would give anyone remote backdoor admin access. In their report, GulfTech found that a file upload flaw on the devices would also give people remote access.
The devices were also found to be at risk of command injection, denial of service and information dumps. Put simply, these devices had not been properly built with security in mind.
The impacted devices are the following from the My Cloud range: EX2, EX4, EX2100, EX4100, EX2 Ultra, DL2100, DL4100, PR2100, PR4100, Mirror and Mirror Gen 2.
These devices are network attached storage and let users store files locally and access them online. They’re mainly used by home and small businesses users, but the risk is still unacceptable no matter the target audience of the device.
GulfTech reported the vulnerabilities to the device manufacturer in June 2017 and they asked for 90 days before the information was given to the public. They replaced firmware updates in November, which apparently “fixed critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass”.
However, while GulfTech hasn’t tested the patch that was released, they’ve reported that some users are still saying some vulnerabilities remain.
If you have one of the affected devices, Western Digital advise that you disable the Dashboard Cloud access and disable any port-forwarding functions.
Dashboard Cloud can be disabled by going to Settings > General > Cloud Access.
Port forwarding should be disabled on the device and on the router. On the device, the feature can be found under Settings > Network > Port Forwarding.
“Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover,” said the company in a statement.
Western Digital are slowly rolling out patches through their firmware system and updating customers on the situation via their blog. The last update was in January, where they patched the issue with unauthorised access to multipart upload functionality.
While you should always keep your device updated, for which Western Digital’s support can help you with if needs be, you should also practice sound data protection practices anyway. This includes regular data backups, password protection, and security layers on your router.
The storage company claim that they are continuously working to improve the security capability of their products, alongside any research that the security community uncover. Nevertheless, it’s worrying that all of these devices were launched without these issues being detected. But, if anything, let it be a message that no device is ever truly secure when your data is being routed through the internet – and even when it’s offline it’s still vulnerable to theft.
Western Digital Cloud Storage is Still At Risk
No comments yet. Sign in to add the first!