Andrea Danti - Fotolia
A cybersecurity company discovered serious vulnerabilities and a hardcoded password backdoor in Western Digital's My Cloud network-attached storage devices. How does the Western Digital's My Cloud backdoor work and what can companies do about the vulnerability?
The critical need for secure software development has gone unfulfilled for decades, and it is only getting more important as non-traditional software companies begin to enter the industry.
The problem is getting worse, as new generations of software developers are writing programs for a wide range of traditional hardware companies that are trying to pivot to the cloud. These software developers probably haven't heard of secure software development lifecycles, so they continue to make many of the same mistakes from the past that will keep the information security community busy long into the future.
One of these traditional hardware companies is Western Digital Corp. (WDC), which has been making hard drives since the 1980s. These hard drives typically include firmware, but little user-exposed software.
WDC offers a personal cloud storage unit -- called Western Digital's My Cloud -- which allows users to connect to a network and access files. Because the security aspects of a product like this are very different than those in a new hard drive, WDC has had many opportunities to improve their software development lifecycle.
The most concerning vulnerability is a default hardcoded password in the My Cloud code. Default passwords are sometimes necessary, and end users should be able to change them when setting up a new system. However, in My Cloud, the account and password are hardcoded in the system software, making it impossible for end users to secure the device by changing the hardcoded password.
There were several vulnerabilities identified in the software, and analysis of the entire system -- including the Linux operating system configuration -- showed that more might be identified. Since the discovery, WDC has released updated versions of the software for end users to install manually.
Individuals and businesses using these products should pressure WDC to improve the security of these devices and incorporate updated functionality into the system itself, or even to use automatic updates. Due to weak system security, enterprises may want to restrict access over the network to only approved systems.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Password management and policy
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading