If you’re the proud owner of a Western Digital cloud box, I’d advise you to unplug it right now. Why? Apparently, they can be easily hijacked from across the internet or network and there’s no fix for this at present. If that’s not bad enough, the firmware of these devices also has cross-site request forgery vulnerabilities. In English, that means that a malicious webpage can potentially make a victim’s browser connect to a My Cloud device on the network and compromise it. Once that happens, the device and the data on it is pwned.
Here’s a video of the pwnage in progress:
Affected devices include the following:
- 2.21.126 (My Cloud)
- 2.11.157 (My Cloud EX2)
- 2.21.126 (My Cloud EX2 Ultra)
- 2.11.157 (My Cloud EX4)
- 2.21.126 (My Cloud EX2100)
- 2.21.126 (My Cloud EX4100)
- 2.11.157 (My Cloud Mirror)
- 2.21.126 (My Cloud Mirror Gen2)
- 2.21.126 (My Cloud PR2100)
- 2.21.126 (My Cloud PR4100)
- 2.21.126 (My Cloud DL2100)
- 2.21.126 (My Cloud DL4100)
News of this #EpicFail came from SEC Consult Vulnerability Lab which published an advisory on Tuesday after someone named Zenofex went public with full details of the flaws. Here’s the kicker: SEC Consult warned WD back in January that it had uncovered holes in the My Cloud firmware, and gave the vendor 90 days to fix the bugs before it would reveal its findings to the world. Clearly that never happened. But it’s a safe bet with all this negative press that Western Digital is going to fix this real bloody quick. Which is a shame as it should never get to this point before companies do the right thing.