WD's My Cloud NAS Drives Have Been Vulnerable Since 2017

[Guest]

An authentication bypass vulnerability in several Western Digital My Cloud products was disclosed in April 2017, but the devices remain susceptible to attack.

WD's My Cloud NAS Drives Have Been Vulnerable Since 2017 : Read more

 

[DeadRam]

Is this a typo? "My Cloud Home devices AREN'T affected and that it plans to address the vulnerability with a firmware update "within a few weeks.""

 

[2Be_or_Not2Be]

Is this a typo? "My Cloud Home devices AREN'T affected and that it plans to address the vulnerability with a firmware update "within a few weeks.""

No typo - "My Cloud Home" is a different product line than "My Cloud NAS". It does seem to be a bit of defensive deflection, though.

 

[2Be_or_Not2Be]

Very disappointing that WD doesn't commit more seriously to investigating & fixing security flaws. A year-and-a-half is way too long, and someone needs to light a corporate fire under them to get more serious.

Sadly, it's the buyers of these devices who are ultimately hurt, not WD. However, WD, don't forget that word-of-mouth about lousy security can prevent future buyers from purchasing your products. A bad reputation can hurt all of your product lines, not just "My Cloud". So you better put some real effort into finding and fixing these vulnerabilities!

 

[DeadRam]

Let me clarify. "My Cloud Home devices aren't affected" BUT "it plans to address the vulnerability". Why address the vulnerability if they aren't affected?

 

[2Be_or_Not2Be]

Let me clarify. "My Cloud Home devices aren't affected" BUT "it plans to address the vulnerability". Why address the vulnerability if they aren't affected?

They are addressing the vulnerability in the My Cloud product lines (e.g. many models) that are affected. The specific "Home" model supposedly isn't affected. I'm guessing that it was probably the only one that didn't include the "Dashboard Cloud Access" or something else just slightly different enough in the firmware as their fix involves a firmware update.

The wording on WD's blog post makes it more clear that the Home model specifically wasn't affected:

"Recently, security researcher Securify published an authentication bypass vulnerability for our My Cloud products (My Cloud Home is exempt from the vulnerability). We are in the process of finalizing a scheduled firmware update that will resolve the reported issue. We expect to post the update on our technical support site at https://support.wdc.com/ within a few weeks."

 

[phobicsq]

Anything in the cloud or online is at risk. Until laws are made to hold companies and execs accountable things wont change.