back to article WD My Cloud NAS devices have hard-wired backdoor

If you have a Western Digital My Cloud network attached storage device, it's time to learn how to update its OS because researcher James Bercegay has discovered a dozen models possess a hard-coded backdoor. The backdoor, detailed here, lets anyone log in as user mydlinkBRionyg with the password abc12345cba. WD mostly markets …

  1. jake Silver badge

    I wonder if Marketing will ever learn.

    They can certainly sell shit.

    Unfortunately, I don't want to purchase shit. Mayhap put Engineering and QA back into the loop? It's just an idea, what do I know ...

    1. Adam 52 Silver badge

      Re: I wonder if Marketing will ever learn.

      I really doubt Marketing put this in without talking to Engineering at all. More like Engineering put it in without telling anyone else.

    2. Loud Speaker Bronze badge

      Re: I wonder if Marketing will ever learn.

      I don't want to purchase shit.

      Then presumably you wont by anything with "Cloud" in its name or description - it tells you all you need to know.

  2. Captain DaFt

    Remember kids!

    NAS is NSA with the letters rearranged!

    (Who's that knocking at your back door?)

    1. Symon Silver badge
      Pint

      Re: Remember kids!

      I use NAS4Free. Cue Dave Edmunds. ♪

  3. bombastic bob Silver badge
    FAIL

    it's the 21st century and they're still...

    and they're STILL hard-coding back doors into their stuff, EVEN THOUGH it has been proven time, and time, and time, and time, and time ... again that DOING! THAT! IS! BONEHEADED! STUPID!!!

    Anybody got a CLUEBAT for these idiots?

    There may have once been a reason for this, for vertical market systems NOT on the internet, so you could go to a customer site and un-brick "whatever they did to it". Since the 90's, that has become *INCREDIBLY* *STUPID* to do. A physical reset button with a 'password reset' command of some kind would be a better idea, but NOOooo they had to do a BACK DOOR with a HARD CODED USER/PASS combo.

    Nice. Job. Not!!!

    1. Voland's right hand Silver badge

      Re: it's the 21st century and they're still...

      It is not THEM (as WD). They are just shopping from the lowest bidder.

      That is "consumer device manufacturers" these days. It is all ODM by someone working to a minimal budget somewhere in South East Asia. So any expectations of bug fixes, etc are pretty far fetched as well.

      It cannot be fixed in the current economic environment as it is the minimal cost model. The only way it can be fixed is if the seller (the one who stuck the brand sticker on it) will be made responsible at a FTC/Eu level to supply fixes for a reasonable amount of time. IMHO 5 years of security and safety fixes for software with penalties for non-delivering in the range of 5-10% of global turnover should do the job.

      1. Pascal Monett Silver badge
        FAIL

        Re: "consumer device manufacturers"

        I don't care who it is, this is simply not acceptable, ever.

        Computer security is hard enough. We just discovered a vulnerability in a raft of CPUs that dates back more than a decade and nobody had a clue.

        So we definitely don't need people putting in barn doors that can't be closed.

        1. oiseau
          Facepalm

          Re: "consumer device manufacturers"

          Hello:

          "We just discovered a vulnerability in a raft of CPUs that dates back more than a decade and nobody had a clue."

          Nobody had a clue?

          Nobody?

          I seriously doubt that is the case.

          See the flaws in the Intel Management Engine, their implications and consequences.

          It's a long albeit interesting read.

          And then see if you can, with all the good faith you could possibly muster, say "nobody had a clue" again.

          Cheers,

        2. Tom Paine Silver badge
          FAIL

          Re: "consumer device manufacturers"

          Meltdown/Spectre, in some forms, originated in 1995 - 27 years ago.

          What with that, this WDMyFail story and a few other ohJFCnotagain fails lately I'm really starting to wonder whether I should jack in security and take up, I dunno,.. something else. Sitting next to my local ATM with a McDonalds cup, perhaps? That looks like an appealing lifestyle, compared to this.

          1. katrinab Silver badge

            Re: "consumer device manufacturers"

            Unless you've discovered that your local ATM has a vulnerability that can be exploited with McDonalds cups, then no, I wouldn't suggest that.

      2. Doctor Syntax Silver badge

        Re: it's the 21st century and they're still...

        "The only way it can be fixed is if the seller (the one who stuck the brand sticker on it) will be made responsible at a FTC/Eu level to supply fixes for a reasonable amount of time."

        It can be fixed PDQ. Security checking becomes a part of UL and CE (and the equivalent for other quality regimes) checking. That goes a long way to keeping unchecked products out of major markets, sufficient to make doing it right the more profitable option.

      3. thegroucho

        Re: it's the 21st century and they're still...

        Voland's right hand, respectfully - I agree, but I would expect a little bit of Quality Assurance, i.e. somebody to eyeball the code.

        1. Loud Speaker Bronze badge

          Re: it's the 21st century and they're still...

          I would expect a little bit of Quality Assurance

          That's OK, we will be off your lawn real soon now.

      4. JohnFen Silver badge

        Re: it's the 21st century and they're still...

        "It is not THEM (as WD). They are just shopping from the lowest bidder."

        Technically true. However, in my view, if you've bought it put your name on it, and are selling it, then you're responsible for it whether you made it or not. WD is at fault here for, at a minimum, not properly vetting the device.

      5. John Smith 19 Gold badge
        Coat

        It is all ODM by someone working to a minimal budget somewhere in South East Asia.

        Yes once again code monkey strikes again.

        The nature of monkey is irrepressible

        Mine's the one with a DVD of a dodgily dubbed 70's chop socky TV series.

        1. Long John Brass Silver badge
          Pint

          Re: It is all ODM by someone working to a minimal budget somewhere in South East Asia.

          I loved that series. Have a pint for bringing back happy memories :)

  4. Trollslayer Silver badge
    Thumb Down

    Fix the title

    It is obvious

  5. Dan 55 Silver badge
    Holmes

    Previous generations affected?

    I.e. the My Books which miraculously stopped receiving firmware updates when they got renamed by Marketing to My Cloud.

  6. Unicornpiss Silver badge
    Meh

    No surprise..

    ..just further disappointment.

  7. Lon Bailey
    WTF?

    WD firmware version

    WD website says the latest version is 2.3.172 not 2.3.174 as described in the article. Any thoughts on this?

    1. Version 1.0 Silver badge
      Facepalm

      Re: WD firmware version

      The current version on my box is v04.05.00-320 which has the backdoor - I just logged in. I am disabling all external access to the device but that still leave it wide open on the LAN.

      Goodbye "cloud" I'm done with you.

      1. bombastic bob Silver badge
        Unhappy

        Re: WD firmware version

        'Goodbye "cloud" I'm done with you.'

        Sadly that may be the only alternative...

        Still, it would seem to me that *maybe* an 'Open NAS' or equivalent might work on those drives...

        (has anyone tried to load it?)

        If another OS _can_ be loaded on those devices, maybe THAT is the fix?

  8. H in The Hague Silver badge

    Feeling smug now

    A few months ago:

    Supplier: Are you sure you don't want the Cloud version of this lovely WD external drive?

    Me: That's right - don't want anything with remote access. I'll have the plain vanilla drive please (well, the RAID model).

    Sometimes it pays to be a Luddite :)

    1. Munchausen's proxy

      Re: Feeling smug now

      "Sometimes it pays to be a Luddite :)"

      A lot of people ignore the fact that the Luddites were pretty correct in their analysis, and rational (if ill-fated) in their response.

  9. gsf333

    Anyone know if this effects the WD My Book Live? I know the article makes no mention to this, however is this because it's no longer a currently supported device.

    As a side, if the device is set to not accept remote connections, would this mean only a local user could gain entry?

  10. Steve Graham

    Read the researcher's own article for full gory details. The whole suite is completely incompetent, and even without the hard-coded login is wide open to hacking.

    It looks like the work of a very inexperienced programmer: they probably got the intern to write it.

    1. Anonymous Coward
      Anonymous Coward

      Geniunely reads like they've had a quick go at it then left the company or not been asked to finish it up. Good work on the researchers part in taking it to pieces though, funny how one scruffy bit of code leads onto another though.

  11. David Roberts Silver badge
    Paris Hilton

    I assume that....

    ....you have to configure it and the router to allow incoming connections from the Internet otherwise it is a NAS and not a cloud.

    Unless (like my HP printer) it connects out to a central server so no incoming connection is required.

    I had a quick look round but couldn't find a description of the mechanics. I assume it does clever things to the router as most punters wouldn't know where to start.

    1. Lee D Silver badge

      Re: I assume that....

      1) They probably have UPnP (read: Automated, unauthenticated system to instruct your router to port-forward any given port externally to any given IP/port internally. In case you didn't know that).

      2) Talking out is enough to cause issues like this to be worrying as you can then use apps to connect back to the drive. Presumably they are now blocking that username combination but who knows?

      3) It doesn't matter... it's much more of a risk INTERNALLY. People are suggesting using these as iSCSI devices, which means they are acting as backing stores and live storage for VM's for servers, etc. That's just dumb to have a pre-fab password. This time next year, every virus will have those passwords included and will probe the local network so that that tiny local infection can - if you don't have full isolation - turn into direct access to all your iSCSI storage, etc.

  12. Michael H.F. Wilkinson Silver badge
    Coat

    NASty

    Sorry, couldn't resist. I'll get me coat. The one with "Get thee to a punnery" in the pocket, please

  13. John H Woods Silver badge

    Glad I didn't buy one ...

    ... I went for an HP microserver which was actually cheaper.

    Bit miffed that I have to jump through so many hoops to get BIOS updates tho.

    1. Down not across

      Re: Glad I didn't buy one ...

      ... I went for an HP microserver which was actually cheaper.

      I did the same. Back in the day all the NAS's were too expensive and limited, so I bought HP Microserver N36L on one of those cashback deals. Running NAS4Free (since the split up... was running FreeNAS before that) nicely from USB stick with all 4 bays for ZFS. I did add a intel quad GE NIC though as the onboard one would lock up on heavy traffic.

  14. crediblywitless

    Successfully updated a MyCloud EX4 just now. This was made more awkward by the fact that the device expects to be able to download the firmware update into user-data space - so if you've deliberately created an ISCSI target that uses _all_ of that space, it has nowhere to put the update. Take your service disks out, put a scratch disk in, let it set that up, update the firmware, take the scratch out, put your service disks back, and click 'OK' when it asks you if you want to 'integrate the roaming RAID partition'.... And relax.

    So, there's a programmer who works at D-Link somewhere named Briony, is there? Her surname starts with G? Good grief...

    1. The First Dave

      Programmer? No.

      Work Experience kid who doesn't know how to keep test code out of Production? Yes. Probably now a senior manager.

  15. ShelLuser

    Not surprised..

    I had a My Book (500Gb) for quite a long time and later on bought myself a My WorldBook (1Tb). It was fun while it lasted: after a while the MyBook didn't work for some reason; even copying a 1Mb file would take minutes (just for context: my computer and the MyBook were hooked up onto the same switch, and other network related functions worked without any issues).

    Eventually I opened it up, took out the HD, learned about the Linux OS and ext2 (or ext3, don't remember) filesystems and then copied all my data from it. Right now this same HD sits inside my FreeBSD server, now UFS formatted, and it works just fine. So much for reliability.

    I still have the WorldBook but I don't dare to copy any data onto it because I fear for the worst. So it's read-only for now. I'll probably end up opening it up and taking out the HD as well, that will be the end of my My Book endeavors.

  16. Version 1.0 Silver badge
    Facepalm

    So let's start scanning ...

    Given that the MyCloud devices prompt the users throughout the installation to install cloud access I expect that there's a lot of data out there for the taking. For a lot of casual users, even if they don't use the cloud features, it may well have boon turned on when it was installed.

  17. Alistair Silver badge
    Black Helicopters

    who is Bryoni g. and where do they work NOW?

    The NSA?

  18. jay_bea

    DLink 320L NAS

    If you have a DLink NAS, you can always flash the Alt-F firmware, which is open source, has more features than the original DLink version, and does not (AFAIK) have any backdoors.

    https://sourceforge.net/projects/alt-f/

  19. JohnFen Silver badge

    At this point

    Since serious, and intentional, security holes are routinely found in pretty much every class of network-connected device, I think it's safe to say that manufacturers can't be trusted with anything that involves network access. The only secure way forward for devices that have network access is to roll your own.

  20. Tigra 07 Silver badge
    Coat

    Down with this sort of thing...

    I'm guessing the blame lies at the feet of the mysterious B Rionyg?

    1. Peter2 Silver badge

      Re: Down with this sort of thing...

      And whomever signed off the code review that missed a hardcoded backdoor.

      1. Outer mongolian custard monster from outer space (honest)

        Re: Down with this sort of thing...

        Code review? insert jaundiced cackle...

        1. Paul 129
          Trollface

          Re: Down with this sort of thing...

          "Code review? insert jaundiced cackle..."

          No. Classic Wizard of Oz, wicked witch of the west cackle. FTW!

    2. Anonymous Coward
      Anonymous Coward

      Re: Down with this sort of thing...

      > I'm guessing the blame lies at the feet of the mysterious B Rionyg?

      More likely "Briony G".

  21. herman Silver badge

    I made my own 'NAS' from a Raspberry Pi and a couple of flash memory sticks in about 20 minutes. For any self respecting geek, there is no reason to use off the shelf exploit kits.

    1. RonWheeler

      My time is important

      and flash memory / 100bit interface both suck for intended use.

  22. Outer mongolian custard monster from outer space (honest)
    FAIL

    What like these, reviewed by el reg some time back with no consideration of security or how it might be a pwn point for your entire network by the reviewer...

    https://forums.theregister.co.uk/forum/1/2017/09/26/my_cloud_home_review/

    Interesting user name choice. :-

    "Noun 1. briony - a vine of the genus Bryonia having large leaves and small flowers and yielding acrid juice with emetic and purgative properties

  23. RonWheeler

    Iffy reporting

    Series 4 firmware has been on my 2 MyCloud (on auto update) for almost a year. Yes, hardcoding was a stupid thing to do in the first place, but the fix has been available for a very long time.

  24. JLV Silver badge

    Would this be the dlink that...

    Once redirected all its routers' DNS to a signup for its Parental Protection subscription-ware after updating said routers' firmware? And obfuscated the opt-out dialog?

    Comodo, DLink, etc... are on my never, ever, again list.

  25. sloshnmosh

    "I made my own 'NAS' from a Raspberry Pi and a couple of flash memory sticks in about 20 minutes. For any self respecting geek, there is no reason to use off the shelf exploit kits."

    As a bonus your NAS is also safe from the whole "Meltdown" debacle.

  26. djvrs

    Hmmm

    https://files.mycloud.com/login.php Is the login page for the WD mycloud NAS. How does the site redirect you to your NAS using those hardcoded login credentials? Or will it only work with those who have enabled SSH?

  27. Colin W.

    I can't log in

    I have firmware version 2.10.310 but I'm not able to log in via the web interface, and FTP, SSH and Telnet ports are all refusing connections.

    That seems strange. Shouldn't I be able to log in with this old firmware?

    Actually I have some quite low opinions of this system for other reasons. When I first got it and tried logging in remotely using a mobile phone and the official software from WD, it worked super slow for a little while, before the entire device just crashed and I was not able to use it any more until I came home and rebooted. I was pretty disgusted and never tried to use it again after that. I suppose I might have some better luck now with a new firmware (this happened about two years ago) but how can a big company release something in such a poor working state?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019