image: Hartwig HKD (Creative Commons BY or BY-SA)

Hardcoded backdoor in 12 Western Digital My Cloud NAS devices

January 8, 2018

Oh good, there’s a plethora of vulnerabilities, including a hardcoded backdoor, in 12 Western Digital My Cloud network storage devices. If you have one, then you need to update the firmware ASAP, unless you actually want anyone at all across the globe being able to log into yours as user “mydlinkBRionyg” with the password “abc12345cba”. The hardcoded backdoor administration account credentials cannot be changed; it can be removed by installing new firmware.

Gulftech security researcher James Bercegay informed Western Digital of multiple, easy to exploit flaws back in June 2017. Western Digital requested the standard 90 days before full disclosure. Yet more than six months went by without the company issuing fixes, so Bercegay published the details. That was enough to spur Western Digital to issues patches for the remote access bugs.

Read More on CSO Online