Skip to main content

Popular NAS Device May Easily Be Compromised

By September 26, 2018June 3rd, 2022Technology News

Western Digital has a big problem, and if you use the company’s “My Cloud” network-attached storage (NAS) storage devices, you’ve got one too.  The WD My Cloud service is enormously popular because it’s so convenient, allowing both business owners and individuals to store their files, perform periodic backups, and of course, access their data from anywhere in the world.

Recently, security researchers have discovered an authentication bypass vulnerability that could allow an attacker to gain admin-level control over the device. This means they’d be able to monitor all of the files sent to, opened, or deleted on it, make copies of, or even delete the files found there.

The vulnerability has been given the designation CVE-2018-17153 and is about as serious as it gets. Without going into the technical details, essentially, all a hacker would have to do to take complete control over the device is for the hacker to “tell” the device that he’s an Admin via an uploaded cookie file. The device will accept it with no password required.

When the researchers notified Western Digital of the security flaw, they also released a proof of concept detailing the attack, and disturbingly, it can be executed using just six lines of code.

There is one silver lining in that to make use of the exploit, the hacker would need either local access or an internet connection to a specific WD My Cloud device. But this is a relatively low bar that most any experienced hacker could clear without a trace.

Western Digital has responded quickly, and according to a recent blog post on the company’s website, promises to have a patch that will resolve the issue “within a few weeks.”  They also stressed to their customers the importance of ensuring that the firmware on all their products is always up to date and recommended enabling auto updates.

It’s good advice that will simplify your life and ensure you never miss an update, although not always practical for SMBs.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.