Western Digital My Cloud range of home NAS storage devices riddled with security flaws

Hackers find 85 vulnerabilities in WD My Cloud range

Western Digital's popular My Cloud range of home network-attached storage (NAS) devices is riddled with security flaws, according to a white-hat hacking group that goes by the name of the Exploiteers

The group claims to have found 85 security flaws in WD's My Cloud NAS devices - and this comes after an earlier series of security flaws were exposed and fixed by the company.

The hackers claim to have discovered a number of glitches in the Linux-based operating system that runs the WD PR4100, only to discover that it applies to the entire range of WD My Cloud NAS devices.

The main issue is caused by the way that the admin page requests login credentials. It uses cookies, but doesn't authenticate against them, so a hacker can alter the cookies and bypass the login screen. This gives unfettered access to the devices entire operating system.

The problem comes when you allow SSH access on your My Cloud, which is quite often necessary to do more advanced tweaks. Once this is open, it means that code can be run, with root access.

Before these findings became public, a firmware update rolled out which was supposed to have "fixed" the problem. Except it hasn't, and the problem isn't fixed, all that has changed is the implementation of the hack.

This is, seemingly just the tip of the iceberg when it comes to what code can be injected, and whilst the obvious answer would be to turn off the SSH portal, in reality, if you can bypass the login, you can switch it on yourself from the UI anyway. It's like putting a series of cardboard boxes in the way of the Quattro.

In total the team found:

Computing has asked WD for comment, but has not received a reply on publication this afternoon.