Western Digital has seemingly been shipping their My Cloud personal network attached storage solutions with an integrated backdoor. It's not really that complicated a backdoor either - a malicious user should always be able to use it. That stems from the fact that it's a hard coded backdoor with unchangeable credentials - logging in to someone's My Cloud is as simple as inputing "mydlinkBRionyg" as the Administrator username and "abc12345cba" as the respective password. Once logged in, shell access is unlocked, which allows for easy injection of commands.

The backdoor has been published by James Bercegay, with GulfTech Research and Development, and was disclosed to Western Digital on June 12th 2017. However, since more than 6 months have passed with no patch or solution having been deployed, the researchers disclosed and published the vulnerability, which should (should) finally prompt WD to action on fixing the issue. Making things even worse, no user action is required to enable attackers to take advantage of the exploit - simply visiting malicious websites can leave the drives wide open for exploit - and the outing of a Metasploit module for this very vulnerability means that the code is now out there, and Western Digital has a race in its hands. The thing is, it needn't have.

Exploitable models of Western Digital's MyCloud devices include My Cloud Gen 2, My Cloud EX2, My Cloud EX2 Ultra, My Cloud PR2100, My Cloud PR4100, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100. Needless to say, until a patch is issued, the best thing to do is to thoroughly disconnect these drives from your local area network and Internet access. But that isn't what users originally bought these drives for, now is it, WD?