Western Digital Network Attached Storage (NAS) owners may face another security issue. Following the two mistakes that hackers exploited to remotely wipe My Book Live devices, security journalist Brian Krebs released a report on another zero-day vulnerability affecting Western Digital products that the My Company’s Cloud OS3 software is running. Additionally, there doesn’t seem to be an official solution for those who don’t upgrade to a newer storage solution.
Earlier this year, security researchers Radek Domanski and Pedro Ribeiro discovered a number of vulnerabilities that allow a malicious actor to remotely upgrade a My Cloud OS3 device to add a backdoor. The two say they never heard from the company when they tried to get in touch about the vulnerability. Western Digital attributes its response (or lack of it) to one of its previous policies.
“The communication we received confirmed that the research team involved had planned to publish details of the vulnerability and asked us to contact them if they had any questions,” a company spokesman told Krebs. “We didn’t have any questions, so we didn’t answer. Since then we have updated our process and react to every message in order to avoid such misunderstandings again. “
While the bug isn’t there in Western Digital’s new My Cloud OS 5, it’s unclear whether the company ever went back to fix it in My Cloud OS3. It is also planned to no longer support the older software. “We will not be releasing any further security updates for the My Cloud OS3 firmware,” said Western Digital on a support page dated March 12, 2021. “We strongly recommend upgrading to the My Cloud OS 5 firmware. If your device is not eligible for an upgrade to My Cloud OS 5, we recommend upgrading to one of our other My Cloud offerings that support My Cloud OS 5. “
When Engadget contacted Western Digital, a company spokesman told us: “There is a solution to this vulnerability – we have ‘patched’ OS3 with OS5.” They added, “My Cloud OS 5 is a major security release that provides an architectural overhaul of our older My Cloud firmware. All My Cloud products that are currently actively supported are eligible for the My Cloud OS 5 upgrade and we encourage all users to upgrade as soon as possible to benefit from the latest security fixes. “
If you have a device that you cannot upgrade to My Cloud OS 5, you can download a patch developed by Domanski and Ribiro. Note that you will have to reapply it every time you restart your device. You can also protect your My Cloud NAS drive by restricting access to the Internet.
Update 6:35 p.m. ET: Added comment from Western Digital.
All products recommended by Engadget are selected by our editorial team independently of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may earn an affiliate commission.