Western Digital My Cloud Drives Have a Built-In Backdoor

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Security researcher James Bercegay has released his findings on a hard-coded backdoor in certain My Cloud products after Western Digital failed to address the vulnerability. Reportedly, anyone can log in with "mydlinkBRionyg" as the username and "abc12345cba" as the password. These credentials cannot be changed.

Affected models include My Cloud Gen 2, My Cloud EX2, My Cloud EX2 Ultra, My Cloud PR2100, My Cloud PR4100, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100. A Metasploit module has also been publicly released, making is very easy for almost anyone to take advantage of Western Digital drives.
 
Wow, mine isn't listed lol.

How the fuck do people even find exploits like this. That username and that password? Jeez.
 
Lucky mine is an older model, and this login doesn't work (I checked)
 
Probably a backdoor a programmer forgot to take out. Sure makes it easy on support when a person forgets their password!
 
auntjemima said:
Wow, mine isn't listed lol.

How the fuck do people even find exploits like this. That username and that password? Jeez.
Click to expand...

So they can be internet hero’s. Who gives a shit if a bunch of people get affected. They got their name mentioned on techdirt.
 
westrock2000 said:
So they can be internet hero’s. Who gives a shit if a bunch of people get affected. They got their name mentioned on techdirt.
Click to expand...

You obviously have no idea about what a security expert is or does, and if you would have read something you would have seen that he brought his findings to WD and WD refused to acknowledge them, so the next point after giving enough time is to do just what he did, a full public disclosure to force the company to act.

smfh seriously, 10k posts and it is like you don't know anything.

edit to add:
He gave them 6 freaking months, more than enough time for them to say or do anything, maybe issue a firmware update to close the backdoor, but they did nothing= they wanted to keep the backdoor is what this tells me.
 
"The user name or password entered is incorrect."

EX4100 , must have been fixed in November firmware update
 
Revdarian said:
You obviously have no idea about what a security expert is or does, and if you would have read something you would have seen that he brought his findings to WD and WD refused to acknowledge them, so the next point after giving enough time is to do just what he did, a full public disclosure to force the company to act.

smfh seriously, 10k posts and it is like you don't know anything.

edit to add:
He gave them 6 freaking months, more than enough time for them to say or do anything, maybe issue a firmware update to close the backdoor, but they did nothing= they wanted to keep the backdoor is what this tells me.
Click to expand...

Not unexpected. Front page delivers.
 
If only humans could evolve a bit further than the apes they replaced, there would be no need for security.
 
I don't even want to know what kind of security flaws my trend net Nas has then.
 
auntjemima said:
Wow, mine isn't listed lol.

How the fuck do people even find exploits like this. That username and that password? Jeez.
Click to expand...

STrAYeR said:
Well WD and most companies are in bed with the NSA. It's a sad turn of events though not surprising.
Click to expand...
Like the second message. I think a lot has to do with not only thinking in exploits for the program as in looking for mistakes, but also security researchers must have shifted in thinking to look for intentionally placed backdoors after Snowden. Even more worrying is the expressions by companies namely Intel, that things are working as intended, yeah, i know it might be a liability issue, but do they say the same about other lesser bugs? Bugs that crash a software things like that? I think I can take them at their word, and working as intended means working as intended, and that meltdown/spectre attack was a backdoor working as intended, period that simple.. i mean they wouldn't be allowed to say they were mandated to do this, but they will be able to say so in a secret court, you might see all the lawsuits dropped or most likely settled quickly by a sum that is offset by a tax credit. I mean this WD thing is so obvious , the Intel stuff was much less obvious, but was it not for them? How can it not have been 10 years in.. yeah they are complex systems, but they are at our level, they must understand their own hardware down to the metal so to speak, this is what they do, and these attacks seem to be tied to something very fundamental about the chip, and they seemed to me counting simply on the complexity for a normal person to figure as the safety feature.
 
the only thing these things are good for is shucking the drive and tossing the case.

build your own cloud people.
 
My bad then, still they should have disclosed the issue to the public in order to enforce a full firmware rollout, not disclosing the issue that the firmware fixes leaves lots of customers wide open.
 
You must log in or register to reply here.
Back
Top