WesternDigital MyCloud Vulnerabilities Leaked

Probably everyone has heard about a network-attached storage (typically called NAS) somewhere. TL;DR it’s a file-level data storage for all your data. What’s so special about it is that you can access these files from anywhere on the world, on many different devices. The storage unit itself however is kept at your home basement for example. It is more than a single hard drive, more so an entire storage unit with multiple storage drives that are connected. Depending on your RAID settings it will also automatically mirror the devices, so you have a backup available any time.

Introduction

WesternDigital is a vendor with huge impact on the market. Their products are sold many times and considered the most trustworthy on the market. Perhaps I should say were.

WesternDigital offers a service called MyCloud which allows you to access your home-stored data from anywhere, and also automatically synchronize data between devices. As you would expect from such a critical infrastructure like this, there are strong security checks running in the background. Imagine that not only private homes use a NAS to store their holiday pictures from the past few years, but also businesses to share important documents with their employees. Don’t even want to think about someone else gaining access to an infrastructure like that without being allowed to.

Well, here we are. Any firmware version <= 2.30.165 of any WesternDigital product is affected big times by multiple vulnerabilities. Probably some complex 0day which can only be reproduced under special circumstances, right? Yeah, no.

On the first of april WesternDigital was informed about the vulnerabilities in their “MyCloud” product. There are only two devices which are not vulnerable to this. I keep talking about a vulnerability, but what is it?

The vulnerability

This writeup describes all the discovered vulnerabilities. There is one specific one which got me thinking.

If you take a look at the disassembly of the binary you will spot a legit backdoor in their authentication flow. The code looks for a specific user and password and will accept the login if they both match. What we’ve got here is something that allows everyone to access any My Cloud NAS storage unit system by Western Digital. You don’t even have to hack into it, you don’t need to scrape the password from somewhere, there is no social engineering involved - you simply login with the credentials you obtain from the disassembly of the binary.

1
2
3
4
5
if (!strcmp(v3, "mydlinkBRionyg") 
&& !strcmp((const char *)&v9, "abc12345cba") )
{
result = (struct passwd *)1;
}

Luckily this paper was sent to WesternDigital before it was released, so WesternDigital was kind enough to release a firmware update which patches the backdoor and all other vulnerabilities. Still kinda crazy, isn’t it?

Share

WPA3 - What Now?

You might remember the horror news back in October 2017. Through forcing nonce reuse it was able to break WPA2, the current protocol used world-wide for Wi-Fi networks. Everyone freaked out, someone had found out how to basically crack any wireless connection ever made. Fortunately it was possible to patch (also backwards-compatible) the issue and vendors have reacted quickly.

Now, few months later, the Wi-Fi Alliance announced the planned release of WPA3. Not only is this supposed to fix all the security concerns of the 2003-introduced WPA2 standard, but also implement further security steps to ensure a safe Wi-Fi connection around the globe. It is meant to include robust protection because “Wi-Fi security technologies may live for decades, so it’s important that they are continually updated to ensure they meet the needs of the Wi-Fi industry”. An example of such a “step” is the introduction of an encryption called “Opportunistic Wireless Encryption” which offers encryption without authentication.

WPA3 will be ready for the future, that’s what the Wi-Fi Alliance hopes at least. We live in 2018 but weak password choices by users are still a huge problem. WPA3 adresses this and manages to secure devices even though the password is considered weak. With the uprise of IoT, WPA3 also allows better control of settings concerning anything Wi-Fi related, even without any sort of graphical display. Last but not least, with WPA3 government buildings or the military is given the opportunity to use Wi-Fi in a much broader environment where additional security requirements are inalienable.

Let’s see what 2018 brings - and how long it will take Mathy Vanhoef to crack the protocol this time ;-)

Share

Advanced Filtering in IntelliJ Debug Mode

Been there, done that. Debugging is sort of the least fun thing to do when it comes to developing software. The underlying issue we’re facing is unexpected behavior in the code.

There are various ways to find the issue and fix it. Sometimes it’s an easy typo, some other times it is a complicated and entangled problem on various levels that cause the issue we’re seeing. In this post I’ll show a method to analyze a big set of data with IntelliJ debug mode.

The Approach

The shown example is common for processing lots of data with various different attributes in your application. When seeing issues with a sorting or filtering algorithm, it makes most sense to have a look at the entire data set.

For this example we create a simple java.lang.List of Person.

1
2
3
4
5
6
7
8
9
class Person {
private String name;
private int age;

public Person(String name, int age) {
this.name = name;
this.age = age;
}
}

To get a dump of the current content of the list we set a breakpoint somewhere after we fill the list with test data.

people

By right-clicking on the object, here the ArrayList, we can add a “Filter” to it.

The text window lets you enter any sort of code to filter the collection, such as >, <, ==, != and more.

You can also chain certain conditions to get even more filtered data.

This is only one of many extremely powerful tools IntelliJ IDEA offers to debug code to find issues and unwanted behaviors in the code.

Share

Hello World

1
System.out.println("Hello World");
Share