Don’t panic. Most owners would not have seen the recent silent firmware upgrade rolled out to all internet connected WD My Cloud devices. If yours has not been upgraded, access it via the My Cloud Dashboard software or website and search for updates.
Any internet connected device – routers, TVs, IoT and more are capable of remote hacking. WD is by no means alone here and worked with Trustwave to quickly address the issues. Synology has just issued an advisory for its media server that allows remote attackers to conduct SQL injection attacks.
Note: If you do not use remote access (access files remotely via the internet) turn that feature off.
My Cloud hack – devices affected
My Cloud Gen 2
My Cloud PR2100
My Cloud PR4100
My Cloud EX2 Ultra
My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud DL2100
My Cloud DL4100
MyCloud 04.X Series
MyCloud Home series
The My Cloud hack issues
Hardcoded back door
The first issue was that a programmer who worked on the MyCloud firmware hardcoded a backdoor password – this should never have happened.
CGI binary nas_sharing.cgi hardcodes username and password for an administrative user. This allows complete authorisation bypass. The Specific account name used is “mydlinkBRionyg”.
Arbitrary file deletion via the nas_sharing.cgi binary
CGI binary nas_sharing.cgi allows any user to delete any file from the device. The specific parameter name is “path”.