According to researchers at VerSprite says that, Western Digital’s My Cloud NAS (Network Attached Storage) hard drive can be hacked by local or remote attackers.
This device is getting good sales in market, since it is very easy to use and carry. This device is available in 2TB, 3TB, 4TB and 6TB starting from $97 and on. This device has password protection with hardware encryption.
Western Digital device runs a version of Debian Linux, which allow the users to interact with the device using two methods
- Web-accessible UI (http://wdmycloud.local/UI/)
- RESTful API (http://wdmycloud.local/api/)
Researchers were able to find two major flaw in this device
- Command injection issue
- Cross-site request forgery (“CSRF”) vulnerability
This video is a demonstration of the command injection vulnerability in the Western Digital My Cloud NAS. It shows that it is possible to remotely access every folder and file on the NAS regardless of permissions.
Western Digital My Cloud with firmware versions 04.01.03-421 and 04.01.04-422 are vulnerable to the two major flaws, and patches have already been made and launched after few days by the company.