Western Digital’s (WD) My Cloud NAS drives are vulnerable to internet attacks, according to a report by bug-hunting site Exploitee.rs.
In a blog post, the site identified various unpatched security flaws in most My Cloud drives that allow remote intruders to circumvent the login, insert their own commands and upload files, all without permission. The most worrying aspect of all this is that the hacker would have full access to the NAS drive’s operating system, giving them free reign over the device.
The site also says that while WD did patch out one login bypass flaw through a firmware update, it inadvertantly introduced another in the proccess.
The storage vendor is yet to respond to the Exploitee.rs’ findings. While convention would dictate that the site should alert the affected vendor and allow them to patch out the flaw, blog post author zenofex said that they "learned of the vendor’s reputation within the community," for ignoring the severiy of reported issues.
"Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure is worked out. Instead we’re attempting to alert the community of the flaws and hoping that users remove their devices from any public facing portions of their networks, limiting access wherever possible. Through this process, we’re fully disclosing all of our research and hoping that this expedites the patches to users’ devices."
While we await a response from WD, it may be worth My Cloud users taking their drives off the internet unless it’s a complete necessity.