It is easy to hack Western Digital’s My Cloud EX2 Ultra 4-20TB series. Put simply; the default settings leak files – the My Cloud EX2 hack is serious.
Trustwave found that the default settings on the My Cloud EX2 allow unauthenticated users to grab any files from the device completely bypassing permissions or restrictions set by the owner or administrator.
The situation gets worse if users configure the device for remote access and expose them online. In this scenario, the My Cloud EX2 storage devices also leak files via an HTTP request on port 9000.
“Unfortunately the default configuration of a new My Cloud EX2 is open. It allows any unauthenticated local network user to grab any files from the device using HTTP requests,” states Trustwave.
The problem is in the embedded UPnP (DLNA) media server that starts automatically when the device powers on. “By default, unauthenticated users can grab any files from the device completely bypassing any permissions or restrictions set by the owner or administrator,” Trustwave added.
“It doesn’t matter that you can set permissions and credentials on the My Cloud EX2 to lock down your children’s photos. These should only be available to somebody that is authenticated with the device. By knowing how the traffic works with the My Cloud EX2, you can get it to feed you any file regardless of the permissions. That is something new specific to this device,” continues Trustwave.
Unfortunately, WD declined to fix this insecure default setting. Instead, they recommend that users follow this knowledge base article to turn off DLNA “if they do not wish to utilise the product feature.”
GadgetGuy’s take – Close the My Cloud EX2 DLNA hack
Back in February GadgetGuy covered the My Cloud Hack that covered all models except the My Cloud Home series.
Firmware updates supposedly addressing the My Cloud hack were issued. But apparently, the DLNA hack still exists.
DLNA (Digital Living Network Alliance) set of interoperability guidelines for sharing digital media among multimedia devices. My Cloud (especially the larger EX 2 series) is an ideal DLNA server.
Security researcher Trustwave recently contacted Western Digital concerning an aspect of WD My Cloud media server capabilities and has reported its perspective [link].
My Cloud come with Twonky Server. It enables users to easily play their media content from a My Cloud to any device with a DLNA-enabled media player. These include smart TVs or smartphones.
Twonky Server allows access to My Cloud users within the local network without password protection, which is common with any DLNA server software.
Western Digital recommends that users save content they want protected with a password in shares that have DLNA capabilities disabled. Or disable Twonky server for the entire system, which would disable only DLNA media server capabilities.
Knowledgebase article at https://support.wdc.com/knowledgebase/answer.aspx?ID=20788.”