Probably everyone has heard about a network-attached storage (typically called NAS) somewhere. TL;DR it’s a file-level data storage for all your data. What’s so special about it is that you can access these files from anywhere on the world, on many different devices. The storage unit itself however is kept at your home basement for example. It is more than a single hard drive, more so an entire storage unit with multiple storage drives that are connected. Depending on your RAID settings it will also automatically mirror the devices, so you have a backup available any time.
Introduction
WesternDigital is a vendor with huge impact on the market. Their products are sold many times and considered the most trustworthy on the market. Perhaps I should say were.
WesternDigital offers a service called MyCloud which allows you to access your home-stored data from anywhere, and also automatically synchronize data between devices. As you would expect from such a critical infrastructure like this, there are strong security checks running in the background. Imagine that not only private homes use a NAS to store their holiday pictures from the past few years, but also businesses to share important documents with their employees. Don’t even want to think about someone else gaining access to an infrastructure like that without being allowed to.
Well, here we are. Any firmware version <= 2.30.165 of any WesternDigital product is affected big times by multiple vulnerabilities. Probably some complex 0day which can only be reproduced under special circumstances, right? Yeah, no.
On the first of april WesternDigital was informed about the vulnerabilities in their “MyCloud” product. There are only two devices which are not vulnerable to this. I keep talking about a vulnerability, but what is it?
The vulnerability
This writeup describes all the discovered vulnerabilities. There is one specific one which got me thinking.
If you take a look at the disassembly of the binary you will spot a legit backdoor in their authentication flow. The code looks for a specific user and password and will accept the login if they both match. What we’ve got here is something that allows everyone to access any My Cloud NAS storage unit system by Western Digital. You don’t even have to hack into it, you don’t need to scrape the password from somewhere, there is no social engineering involved - you simply login with the credentials you obtain from the disassembly of the binary.
1 | if (!strcmp(v3, "mydlinkBRionyg") |
Luckily this paper was sent to WesternDigital before it was released, so WesternDigital was kind enough to release a firmware update which patches the backdoor and all other vulnerabilities. Still kinda crazy, isn’t it?