Western Digital failed to patch critical flaws that allowed hackers to gain root access to My Cloud NAS devices despite being warned by researchers six months ago!
Several critical vulnerabilities in My Cloud NAS devices allowed hackers to conduct remote code execution, to upload and download files at will and to hack into admin accounts which can not be changed.
My Cloud NAS devices by Western Digital are at the moment the most-sought-after cloud storage devices by individuals and enterprises alike and feature as the highest selling storage devices on Amazon.
According to security researchers at GulfTech Research and Development, two variants of My Cloud NAS devices, namely WDMyCloud 4TB and a WDMyCloudMirror 16TB, were found featuring several security vulnerabilities that allowed hackers to infiltrate the devices, upload and download files, and hijack non-changeable admin accounts.
The researchers had discovered such flaws as far back as in June last year and had promptly reported the issues to Western Digital. However, despite the increased threat posed to IoT devices by hackers the world over, they did not bring in patches for their highest-selling devices, thereby leaving existing and new users vulnerable to hackers.
Among the critical security flaws is a misconfiguration in the PHP gethostbyaddr() function used within PHP by developers at Western Digital. This flaw allows hackers to upload any file to the server that they want. Another critical flaw allows hackers to conduct remote code execution to upload a PHP webshell to the "/var/www/"
directory which can be executed by 'requesting a URI pointing to the backdoor, and thus triggering the payload'.
The researchers also discovered that hackers could access administrator credentials like username and password which were hardcoded into the binary and could not be changed. Using these credentials, anyone could log in to a My Cloud NAS devices and access files stored in it.
'The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as "wdmycloud" and "wdmycloudmirror" etc,' they said.
They disclosed several more vulnerabilities that compromised sensitive data stored by users on their NAS devices. These included hackers abusing language preferences to cause a denial of service to the web interface and hackers dumping a list of all users, including detailed user information.
Now that the flaws have been revealed, it will be interesting to see if businesses and individuals will continue to go for newer IoT devices or whether they will demand manufacturers to fix existing security flaws before purchasing or using them.
However, price comparison website MoneySuperMarket revealed in September that despite being worried about potential risks associated with smart home devices, especially with regard to their data being collected without their permission, an average UK household continues to feature as many as 9 smart home devices.