WD My Cloud hack – vulnerabilities revealed

My Cloud hack

Trustwave has revealed new multiple security holes in the popular WD My Cloud personal network attached storage devices. The result – My Cloud hack is serious.

Don’t panic. Most owners would not have seen the recent silent firmware upgrade rolled out to all internet connected WD My Cloud devices. If yours has not been upgraded, access it via the My Cloud Dashboard software or website and search for updates.

Any internet connected device – routers, TVs, IoT and more are capable of remote hacking. WD is by no means alone here and worked with Trustwave to quickly address the issues. Synology has just issued an advisory for its media server that allows remote attackers to conduct SQL injection attacks.

Note: If you do not use remote access (access files remotely via the internet) turn that feature off.

My Cloud hack – devices affected

  • My Cloud
  • My CloudMirror
  • My Cloud Gen 2
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud DL2100
  • My Cloud DL4100

Not Vulnerable

  • MyCloud 04.X Series
  • MyCloud 2.30.174
  • MyCloud Home series

The My Cloud hack issues

Hardcoded back door

The first issue was that a programmer who worked on the MyCloud firmware hardcoded a backdoor password – this should never have happened.

CGI binary nas_sharing.cgi hardcodes username and password for an administrative user. This allows complete authorisation bypass. The Specific account name used is “mydlinkBRionyg”.

Arbitrary file deletion via the nas_sharing.cgi binary

CGI binary nas_sharing.cgi allows any user to delete any file from the device. The specific parameter name is “path”.

Arbitrary shell command execution via the nas_sharing.cgi binary

CGI binary nas_sharing.cgi allows any user execute shell commands as root.

After update

Users may notice that after firmware updates the device may not be

  • externally discoverable
  • DLNA functionality is disabled.

If you use these features reset them in the WD dashboard management software.