After several devices in Western Digital’s My Book Live line have been reset thanks to an old security hole, other devices from the company may be subject to similar issues. Researchers claim that the operating system MyCloud OS 3 present in several products has a “zero-day” loophole (vulnerabilities built in since the project’s birth, without the developers’ knowledge) that allows remote execution of malicious code.
The security hole is present on all network-attached storage devices (NAS) with the software installed. It allows a firmware be installed from a low-privileged user account, allowing the creation of a backdoor for criminals.
According to researchers Radek Domanski and Pedro Ribeiro, the discovery was going to be presented during the Pwn2Own competition, held in July 2020 in Tokyo — days before the event, Western Digital launched MyCloud OS 5, which fixed the problem. Thus, the disclosure of the problem only occurred in February this year, in a video shared publicly on YouTube.
MyCloud OS 5 exclusive fix
The problem lies in the fact that, although the manufacturer has fixed the hole in the latest version of MyCloud OS, it remains present in version 3. Although the company encourages consumers to migrate to the latest software, many prefer not to do so thanks to loss of functionality related to it.
In response, Domanski and Ribeiro created their own security patch for the vulnerability, which must be applied every time a device is rebooted. In Krebs On Security, Western Digital said it has not evaluated the fix, nor can it officially support it. The researchers claim that the only way to completely close the loophole is to configure the products with MyCloud OS 3 so that they don’t provide remote access over the internet.
“Fortunately for many users, they don’t expose the interface to the internet,” said Domanski. “But looking at the number of posts on Western Digital’s support page related to OS 3, I can assume that the user base is still considerable. It almost looks like Western Digital jumped to OS 5 without any warning, leaving all users unsupported.”
So far, there are no reports that the old operating system’s security holes have been exploited, but the fact that they are publicly known does not speak in favor of user safety. Given the problems caused by the My Book Live line, the manufacturer started a data recovery plan for affected consumers, who will also be able to participate in an exchange program where they will be able to exchange their devices for more recent and protected ones.
The post Western Digital hard drives with old system may be subject to hacking appeared first on CmaTrends.