
WDMyCloud Multiple Vulnerabilities - ronnier
http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125
======
EgoIncarnate
Generally when it's something this obvious I think it's a backdoor for
debugging that got left in due to bad development practices. [1]

If someone actually wanted to implant a "secret" backdoor it would be
disguised as a subtle bug and/or obfuscated in some way.

"Never attribute to malice that which is adequately explained by stupidity."
Hanlon's Razor -
[https://en.wikipedia.org/wiki/Hanlon%27s_razor](https://en.wikipedia.org/wiki/Hanlon%27s_razor)

[1] "[...] it turns out the error was caused due to buggy code and nothing I
was or wasn't doing wrong." \- if the code is so obviously buggy and the
backdoor part isn't obviously a bug, the developers are probably just being
sloppy, not malicious (bad or rushed development).

~~~
technion
Having identified a backdoor in a major product myself, the eventual meeting
with product managers led to a clear and frank discussion about the cause.
That being, it was there because it was expected only "certified" engineers
would know about it.

The initial view was a hotfix that just changed the hardcoded password,
because senior management felt lightning would not strike twice.

~~~
otp124
> The initial view was a hotfix that just changed the hardcoded password,
> because senior management felt lightning would not strike twice.

What led them to believe you wouldn’t find it again? Was it a simple password
that you guessed?

~~~
technion
I found the password (actually, it used an s/key generator[0]) by similar
means to this write up. It didn't matter if I "found" it again because at this
point I was in direct contact with them and considered "trusted". The
principle that someone else could just as easily find it gets back to the
lighting striking twice argument, and was refuted for a long time. Eventually
they agreed to change behavior but it took a while.

The timeline on the below link only refers to one specific incident, the time
discussing this in principle went for roughly 11 months, and left me extremely
disillusioned with the concept of responsible disclosure.

[0] [https://github.com/technion/lhnskey](https://github.com/technion/lhnskey)

~~~
caf
Really they have no idea how many times the "lightning" struck anyway. It was
just once that they'd been told of.

------
aeleos
I always wondered they were able to sell these devices so cheaply. I recently
bought 2 4tb ones to take the hard drives out as they were each $30 cheaper
than buying a regular 4tb hardrive.

~~~
djsumdog
I pulled some old MyBook hard drives out of their cases and discovered they
were unreadable via a standard SATA connection. They were older MyBooks
designed for XP, so I thought it was just having trouble because they were
using 4k sectors.

I found some information that claimed the older MyBooks would AES encrypt the
data (even if you never setup a password) making the data totally inaccessible
if the factory enclosure ever broke.

Fuck that shit. I pulled the drive back in and copied everything off, then
formatted the disk from a real PC and threw that shit away. Today I always buy
separate disks and enclosures that allow direct disk access.

~~~
yeukhon
If the claim is true, would you rather someone pull it out and access your
data? This is like breaking HSM. So why “fuck that shit”? I hear a lot of
people worrying not enough encryption. So perhaps take this as a positive
thing??? Having an extra layer of protection is never a bad idea.

~~~
ggg9990
Not everyone cares about encryption first. Personally, I’d rather have my
entire HDD published on nytimes.com than lose the data on it.

~~~
otp124
> Personally, I’d rather have my entire HDD published on nytimes.com than lose
> the data on it.

If your data is that valuable, surely you were already taking
backups/snapshots of it. Right?

~~~
williamscales
What if this is the backup and the enclosure is damaged by some natural
disaster but the disk is OK. I guess he should have thought of that
possibility, but what if he didn't?

~~~
bcrack
Then this is not really the backup though... I mean it is not a backup if you
don't understand it completely.

~~~
imtringued
Yes that'S the entire point of the discussion. Yet people still claim you
should backup your backup. But where are you going to backup it to? To another
encrypted drive where the enclosure might fail? No you're going to use an
unencrypted HDD and be done with it. You can always add encryption on top of
an unencrypted HDD.

------
jchw
Well, shit. I've had one of these as a stand-in for hopefully eventually
getting a Synology NAS, and now I'm paranoid about continuing to use my WD
MyCloud. The thing is, I do believe I have a lot of reasons to believe I can
trust Synology more, I don't even want to trust anyone. Not Intel or AMD, not
WD or Synology. Computers are quickly becoming a source of implicit distrust
for me.

~~~
kogepathic
_> Well, shit. I've had one of these as a stand-in for hopefully eventually
getting a Synology NAS, and now I'm paranoid about continuing to use my WD
MyCloud._

The hardware is still fine. You can put Debian on it!

There is a very active forum of people replacing the WD firmware with Debian
on various models (EX2 Ultra, EX2100, EX4100):
[https://forum.doozan.com/list.php?2](https://forum.doozan.com/list.php?2)

~~~
vasili111
> The hardware is _still_ fine.

But if the software is with built-in backdoor there is no reason to trust the
hardware.

~~~
mynewtb
Even if you don't like apples, you might like oranges.

~~~
dmannorreys
Maybe, but I wouldn't eat them if they came from the same, infested, farm :)

------
cordite
I recently moved to a FreeNAS machine, as these devices had the weakest CPU
and little ram as possible to function. It made buffering media on the network
a challenging task when it should have been effortless.

------
Animats
A general question: why is no one suing people who put in back doors? Where
are the "reckless negligence" suits? Especially injured third parties, who
never agreed to an overreaching EULA.

~~~
astura
Off the top of my head I recall there was the Sony rootkit lawsuit:
[https://www.cnet.com/news/sony-settles-rootkit-class-
action-...](https://www.cnet.com/news/sony-settles-rootkit-class-action-
lawsuit/)

~~~
bo1024
That went way beyond a backdoor, that was active malware.

------
caconym_
What an excellent way to ensure I don't even spare a glance for your products
before going with the competition's offering(s).

~~~
the_common_man
Any recommended competitors?

~~~
PascLeRasc
Synology. Their software is the OS X of NAS's. Everything is laid out
logically and they have great long-term support. They're the only NAS
manufacturer with a statement about Meltdown that I could find.

Try it here if you want: [https://www.synology.com/en-
us/dsm/live_demo](https://www.synology.com/en-us/dsm/live_demo)

~~~
shandian
FYI - Synology DSM does not support full disk encryption. It can do folder
encryption through eCryptfs though. Just a heads up if that's something that
you require.

------
madez
A relevant but still more general question: How can we protect ourself against
backdoored products that are covertly subsidized by governments?

Sure, demanding the sources is a necessary first step. But what happens when
the manufaturer blocks and there is not enough competition in the market, see
Intel and laptops?

This situation has been a problem for years now. What can be done? What
regulation or law would help? What should we demand?

~~~
acdha
> A relevant but still more general question: How can we protect ourself
> against backdoored products that are covertly subsidized by governments?

There's a big issue with quality on devices but spreading conspiracy theories
only harms that cause. There's no reason to believe this is connected to a
government — and it's way below the level of craft we've seen in that regard –
and making dubious claims is more likely to cause people to take you and the
broader argument less seriously.

> This situation has been a problem for years now. What can be done? What
> regulation or law would help? What should we demand?

Two good starting points would be protection for security researchers and the
requirement that manufacturers promptly support devices for a reasonable
amount of time. Things like this happen because there's very little perceived
cost to shipping something shoddy compared with not getting as many features
to market as quickly as possible.

A followup point, especially for restoring trust that there aren't
sophisticated backdoors, would be not just source code but fully reproducible,
user-installable builds. This is still fundamentally a losing game if you
don't trust the hardware but it'd dramatically increase the odds of someone
being able to notice an error, not to mention being a huge win for users’
ability to improve an orphaned device.

The reason why that's unlikely to happen is that companies treat source code
as a significant asset, which is why I first mentioned a longer support
period. My favorite approach for this problem would be regulation requiring
mandatory release of source code, the toolchain, signing keys, etc. _if_ the
manufacturer stops supporting something, so the places which want to keep
their trade secrets can still do so but are required to help their users at
the same time.

~~~
Digital-Citizen
"The reason why that's unlikely to happen is that companies treat source code
as a significant asset, which is why I first mentioned a longer support
period. My favorite approach for this problem would be regulation requiring
mandatory release of source code, the toolchain, signing keys, etc. if the
manufacturer stops supporting something, so the places which want to keep
their trade secrets can still do so but are required to help their users at
the same time."

I mostly concur, therefore I certainly hope you're all donating to the
Software Freedom Conservancy for their GNU GPL enforcement efforts (see
[https://sfconservancy.org/supporter/](https://sfconservancy.org/supporter/)
for more) and encouraging people to license their free software under a
strongly-copylefted free software license such as the GNU GPL v3 or later, or
the AGPL v3 or later. These licenses allow users to request and deserve to
receive complete corresponding source code, build instructions, signing keys,
and other materials needed to build the software.

We all need free software for all our computers and we need it whether a
manufacturer supports something or not. It's not the public's job to look out
for Western Digital's interests including their alleged trade secrets. Western
Digital still supports the WDMyCloud device but apparently can't be trusted to
handle the software that device runs. It would help WDMyCloud users to publish
that device's entire software as free software (if they haven't already), as
well as the other things you rightly mention (build instructions, signing
keys, and anything else needed to get the device running) so users aren't
waiting for this less trusted party to make better choices. Users ought to be
free to run, inspect, modify, and share this software or get someone else they
trust to do this work on their behalf.

------
xioxox
The article doesn't seem to make clear that the 04 firmware which fixes this
has been out for years (mid 2014, specifically). One nice thing about this
device is that it is a real Linux system which can be used for hosting cheap
services.

~~~
emcrazyone
The article mentions firmware version 2.30.165 where as mine is running
2.11.168 and when checking for updates, reports back I have the latest. I have
the EX4 models.

I only run mine on private/home networks with no remote access in to them.

Curious about the version difference...

~~~
bmaupin
2.11.168 is the latest firmware for My Cloud Mirror gen 1 [1]. 2.30.165 is the
latest firmware for My Cloud Mirror gen 2 [2].

Both firmwares were released in Nov 2017, and I suspect the vulnerabilities
were fixed at that time as well. At the very least nas_sharing.cgi was removed
in both versions. But I haven't had a chance to finish my investigations [3].

[1]
[https://support.wdc.com/downloads.aspx?g=907](https://support.wdc.com/downloads.aspx?g=907)

[2]
[https://support.wdc.com/downloads.aspx?g=910](https://support.wdc.com/downloads.aspx?g=910)

[3]
[https://gist.github.com/bmaupin/c38c777a0e4fad737a14718b1092...](https://gist.github.com/bmaupin/c38c777a0e4fad737a14718b10928fe4)

~~~
bmaupin
From what I can tell the hard-coded backdoor vulnerability was remediated, but
I see no indication the unrestricted file upload vulnerability has been
remediated in any of the firmwares I tested. But I'm not a security expert.
I've reached out to Gulftech and WD for clarification.

------
userbinator
WD probably contracted D-Link to make these devices for them, i.e. D-Link is
the OEM. The latter has been known for quite a few router vulnerabilities...

...but on the bright(?) side, I remember finding lots of software and other
fun stuff on "public" D-Link NASes a few years ago, including information
critical to repairing the products of one well-known and notoriously-closed
company. ;-)

~~~
happycube
Yup, D-Link's made crappy firmware for many years now. You would think WD
would've known about that...

~~~
thg
Knowing does not imply caring.

------
ronnier
Reddit thread:
[https://www.reddit.com/r/PleX/comments/7odjds/secret_hardcod...](https://www.reddit.com/r/PleX/comments/7odjds/secret_hardcoded_backdoor_and_other/)

------
l0b0
Side note: Can't reach over HTTPS, access denied via Tor. Why do so many
security-related sites use awful hosting providers?

------
notadoc
Yikes.

I suspect there are many more of these out there.

------
freestockoption
FYI, some MyCloud devices can be modified to just run Debian. I treat my
MyCloud as a cheap Linux box with lots of storage in a convenient form factor.
If it weren't for that, I'd just build a computer.

------
ksec
I am now less sure how anything is secured once it can be reached through the
Internet.

May be I have the old way of a NAS that is NOT reachable through the internet
at all.

I really want a Time Capsule for all my iOS devices,, and have it only
accessible within my Network. But then i am also paranoid about Bit rot on
HDD. As I have seen far too many of my Photos or Video with this problem. And
I dont believe any consumer grade NAS are quite capable of handling them yet.

I have yet to find a usecase where I want ALL of my files, Photos, Movies or
whatever accessible when ever I am. Most of the time I only need one file form
work, and it is normally in dropbox or email.

~~~
KozmoNau7
If you want remote access, don't make the NAS directly accessible from the
internet, set up a properly secured VPN instead. It is an additional step, but
you'll be the one in control of access, not whichever faulty services are
running on your NAS.

And don't buy a NAS appliance, buy an inexpensive server like a Lenovo TS150
or HP MicroServer, add a couple of RAID disks (Btrfs or ZFS preferred over
hardware or software raid) and run something Linux/BSD based that you have
better control over.

Btrfs and ZFS _should_ be able to prevent bitrot. ECC memory is _highly_
recommended.

~~~
ksec
Yes, That is why I said consumer grade. I dont want to fiddle with things
anymore. I know Synology offers Btrfs, but they only offer it at the higher
end spec machine. I think their newest DS218 doesn't support either Btrfs or
snapshots, and it doesn't have ECC Memory.

------
patrickdavey
Correct me if I'm wrong but if this is on your home network then you're only
vulnerable to other people on your network right? Just don't port forward
access for a start.

~~~
Someone1234
This is expressly covered in the article ("02.2 - Remote exploitation").

No, in answer to your question, an iFrame on a website you visit can execute
commands on your LAN accessible MyCloud.

------
linkmotif
What’s the connection to D-Link about?

~~~
fernly
Read the original article to the end:

" the D-Link DNS-320L had the same exact hard coded backdoor and same exact
file upload vulnerability that was present within the WDMyCloud. So, it seems
that the WDMyCloud software shares a large amount of the D-Link DNS-320L code,
backdoor and all. There are also other undeniable examples such as misspelled
function names and other anomalies that match up within both the WDMyCloud and
the D-Link DNS-320L ShareCenter code."

~~~
linkmotif
Yeah I read that. Was wondering still why the two companies would be related.
Other responder suggests an OEM.

------
newb88
I recently installed one of these in my home, what actions would you suggest I
take?

~~~
bmaupin
I haven't had a chance to finish my investigations yet, but at least part of
the vulnerabilities were corrected with the latest firmware, so I'd start by
updating the firmware. I wrote more here:
[https://news.ycombinator.com/item?id=16091555](https://news.ycombinator.com/item?id=16091555)

------
mmaunder
According to the research, this may be wormable and is browser exploitable,
assuming they can figure out the local hostname/IP of your NAS.

------
daniel_iversen
Well crap! I bet this gives a lot of WD customers a sick feeling in their
stomach. Is nobody worthy of our trust anymore! :|

------
Geee
Is there a way to crowdfund security research? We need more people looking
into these.

~~~
simooooo
Wasn't that how they did truecrypt/openSSL?

------
duxup
Any ideas on why WD and D-Link share the same hard coded user and password?

~~~
mjg59
Possibly implemented by the same third party vendor.

~~~
ComodoHacker
Looking at the code, it was the cheapest bidder from Upwork.

------
oceanghost
Is anyone aware of a way to put a non-crappy OS on the PR4100?

------
akerro
FFS can't you just buy anything these days without worrying about backdoors,
vulnerabilities in CPUs, MOBO? Why we just can't have nice things? Why do
browsers have to run DRM, CPU can be controlled by any USB driver, MOBOs have
webservers with code execution from LAN and internet. IoT cameras make biggest
botnets ever known. At this point I'm just waiting for a fucking internet
controlled kettles and ovens that will burn down neighbourhoods and cities.

~~~
EgoIncarnate
Economics. Enough people prefer faster and cheaper. Security and reliability
cost time and money. By the time your product ships it's already obsolete and
still costs more than customers are willing to pay.

Probably won't change until the costs of these types of bugs/design flaws
outweigh the costs of preventing them.

~~~
probablybroken
Surely, not putting in a backdoor is a cost saving measure though?

~~~
EgoIncarnate
If the backdoor was a hack for easier debugging that got left in, not having
it during development could make for a longer more expensive development
cycle. In which case it should have been removed before production.

It could also be intended as a support tool to ease hard to debug solutions
remotely. Not having it could make support issues more expensive and slower.
Very insecure and misguided (security by obscurity is not security) if this is
the case, but not malicious. Just a stupid attempt at saving money. This
apparently was the case for another commenter on a different product.

While it's possible it was placed with malicious intent, there are plausible
(and all too common) alternatives that explain it.

------
madez
When you use proprietary solutions you have it coming.

~~~
Johnny555
While that may be true, it no one should expect to be backdoored by using a
proprietary product.

~~~
craftyguy
I (strongly) disagree. You should expect the worst when using crap that you,
or anyone else (publicly) cannot verify. To expect any less is to become
complacent. Products, and companies behind them, must earn your trust, and
hiding behind binary blobs is not the way.

~~~
borplk
Not everyone is a leet open source enthusiast lisp-loving kernel-compiling
hacker.

People go to the shop down the block, pick a product from the shelf and they
are done with it.

This doesn't make them deserving of backdoors.

"Bought the wrong brand of car ... you had that accident coming"

"Visited the wrong doctor ... you had it coming"

"Ate food at the wrong restaurant ... had it coming"

Not everyone is going to be an expert in every field. This is not how a modern
society works.

~~~
nickik
While I agree with you. You can just buy a product with Open Source software.
Those exists but not for every possible product you might want.

That said, for Hardware this does not yet work, and firmware is of course
another problem.

Lets hope for a better future.

------
mindfulhack
Thank fuck for security research and hackers.

------
jwilk
"Secret hard-coded backdoor" makes no sense. Please use the orignal title.

~~~
IncRnd
"Secret hard-coded backdoor" makes sense to me, because the linked webpage
illustrates a secret hard-coded backdoor in the product.

~~~
alsetmusic
Regardless:

> […] Otherwise please use the original title, unless it is misleading or
> linkbait.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
LukeShu
While I'm not a fan of the title it was submitted with, a backdoor is a heck
of a lot different than a "normal" vulnerability; to the point where just
saying "vulnerability" is a bit misleading.

Perhaps: "WD MyCloud Multiple Vulnerabilities (including hard coded backdoor)"

