All Western Digital My Cloud OS 3 NAS devices vulnerable to major exploits
Western Digitalâs not having a great time lately, huh? After having received reports from users that their Western Digital My Book Live devices were randomly wiping and deleting themselves â which turned out to be a remote exploit â now theyâre facing an even bigger issue. Several of WDâs other NAS devices running OS 3 also have a pretty huge remote exploit vulnerability that Western Digital seemingly wonât fix.
The issue stems from the fact that the vulnerability exploits a weakness in My Cloud OS 3. WD actually patched this vulnerability and released OS 5 (there is no OS 4, apparently). The problem is, not all devices are capable of being upgraded from OS 3 to OS 5, so theyâre still vulnerable and only Western Digital can resolve the problem.
The exploit was to be demonstrated at a hacking competition in Tokyo last year by researchers Radek Domanski and Pedro Riberio, however they were unable to do so as OS 5 had been released which patched the issue. The rules of the competition state that the exploit must still be valid for the latest firmware for the targeted device. I suppose, in a way, it was still the latest firmware for some devices that cannot be updated, but it wasnât presented at the competition.
The pair did document their discovery in video form, however, and posted it in February of this year. However the exploit still remains in devices that cannot be updated to OS 5 and Western Digital doesnât seem interested in fixing it.
The other factor is, even if you can upgrade your device to OS 5, many users on both Mac and Windows have reported issues with the updated operating system, citing non-stop indexing, frozen devices, breakdowns of 3rd party integrations from services like Google and Adobe, as well as an overall reduction in general usability.
From a Western Digital business standpoint, sure, not fixing the issue forces people to go out and buy new devices. Itâs a bit of a crappy tactic, but it works. Itâs a similar tactic to âplanned obsolescenceâ, except it wasnât intentional. It was caused by sloppy coding. Chances are, without this bug, people would still be using these non-upgradeable devices for years, but now theyâre forced to if they donât want to risk losing all their data or see permanent backdoors installed on their systems.
Such failure doesnât inspire confidence in Western Digital NAS products and the response doesnât inspire much confidence in Western Digital as a company, either. Do they really think that those forced to replace their OS 3 devices are going to remain customers and buy a newer WD NAS? No, I expect they probably wonât.
When Drobo devices were randomly bricking and losing data a few years ago, many people whoâd loved them for years dumped them in a heartbeat for other alternatives â even if they have since returned after Drobo fixed their issues. A company already as big as Western Digital, though⊠this oneâs going to hit hard.
Probably the funniest thing about all this is that Western Digital will start to offer a trade-in programme for those My Book Live users (the device in the other recent exploit) to get them onto a My Cloud device. I suspect quite a few of them wonât bother.
[via PetaPixel]
