You may recall that a couple of weeks ago, we wrote about a security risk associated with Western Digital My Book Live NAS hard drive units. Users reported their web-connected hard drives were completely wiped with no means of recovering their data. This issue is ongoing and due to a security vulnerability. However, as PetaPixel reports, the vulnerability goes beyond the My Book Live product and affects other WD NAS drives running the company’s OS 3 software.
Security journalist Brian Krebs has published a report outlining the My Book Live issue, plus another security flaw present in a wider range of Western Digital MyCloud network storage devices.
Krebs writes, ‘At issue is a remote code execution flaw residing in all Western Digital network-attached storage (NAS) devices running MyCloud OS 3, an operating system the company only recently stopped supporting.’ Researchers Radek Domanski and Pedro Ribeiro were going to outline the flaws in MyCloud OS 3 at last year’s Pwn2Own hacking competition in Tokyo. WD then released MyCloud OS 5 – skipping OS 4 entirely – before the duo could expose the vulnerability. The pair could not compete since the competition required participants to show flaws in the latest firmware or software. However, they have shared a detailed video, seen below, showing the chain of weaknesses they discovered.
As of March 12, 2021, Western Digital will no longer provide further security updates to MyCloud OS 3 firmware. An issue at hand is that it appears multiple security flaws still exist in OS 3, and not everyone can update their device to OS 5. Some devices are incompatible with the latest firmware, and WD’s solution is for people to buy new products. Beyond some constraints, Domanski states that OS 5 doesn’t include all the core functionality of OS 3, so some users may not want to upgrade even if they’re able to.
PetaPixel notes a variety of issues and complaints with OS 5. The newest firmware eliminates integration with Google, Dropbox, One Drive and Adobe. Further, thumbnail generation, which some users don’t need or want, can cause ‘unending indexing’ or even freeze the device.