All Western Digital My Cloud OS 3 NAS devices vulnerable to major exploits
Western Digital’s not having a great time lately, huh? After having received reports from users that their Western Digital My Book Live devices were randomly wiping and deleting themselves – which turned out to be a remote exploit – now they’re facing an even bigger issue. Several of WD’s other NAS devices running OS 3 also have a pretty huge remote exploit vulnerability that Western Digital seemingly won’t fix.
The issue stems from the fact that the vulnerability exploits a weakness in My Cloud OS 3. WD actually patched this vulnerability and released OS 5 (there is no OS 4, apparently). The problem is, not all devices are capable of being upgraded from OS 3 to OS 5, so they’re still vulnerable and only Western Digital can resolve the problem.
The exploit was to be demonstrated at a hacking competition in Tokyo last year by researchers Radek Domanski and Pedro Riberio, however they were unable to do so as OS 5 had been released which patched the issue. The rules of the competition state that the exploit must still be valid for the latest firmware for the targeted device. I suppose, in a way, it was still the latest firmware for some devices that cannot be updated, but it wasn’t presented at the competition.
The pair did document their discovery in video form, however, and posted it in February of this year. However the exploit still remains in devices that cannot be updated to OS 5 and Western Digital doesn’t seem interested in fixing it.
The other factor is, even if you can upgrade your device to OS 5, many users on both Mac and Windows have reported issues with the updated operating system, citing non-stop indexing, frozen devices, breakdowns of 3rd party integrations from services like Google and Adobe, as well as an overall reduction in general usability.
From a Western Digital business standpoint, sure, not fixing the issue forces people to go out and buy new devices. It’s a bit of a crappy tactic, but it works. It’s a similar tactic to “planned obsolescence”, except it wasn’t intentional. It was caused by sloppy coding. Chances are, without this bug, people would still be using these non-upgradeable devices for years, but now they’re forced to if they don’t want to risk losing all their data or see permanent backdoors installed on their systems.
Such failure doesn’t inspire confidence in Western Digital NAS products and the response doesn’t inspire much confidence in Western Digital as a company, either. Do they really think that those forced to replace their OS 3 devices are going to remain customers and buy a newer WD NAS? No, I expect they probably won’t.
When Drobo devices were randomly bricking and losing data a few years ago, many people who’d loved them for years dumped them in a heartbeat for other alternatives – even if they have since returned after Drobo fixed their issues. A company already as big as Western Digital, though… this one’s going to hit hard.
Probably the funniest thing about all this is that Western Digital will start to offer a trade-in programme for those My Book Live users (the device in the other recent exploit) to get them onto a My Cloud device. I suspect quite a few of them won’t bother.
John Aldred is a photographer with over 20 years of experience in the portrait and commercial worlds. He is based in Scotland and has been an early adopter – and occasional beta tester – of almost every digital imaging technology in that time. As well as his creative visual work, John uses 3D printing, electronics and programming to create his own photography and filmmaking tools and consults for a number of brands across the industry.