A cybersecurity company discovered serious vulnerabilities and a hardcoded password backdoor in Western Digital's...
My Cloud network-attached storage devices. How does the Western Digital's My Cloud backdoor work and what can companies do about the vulnerability?
The critical need for secure software development has gone unfulfilled for decades, and it is only getting more important as non-traditional software companies begin to enter the industry.
The problem is getting worse, as new generations of software developers are writing programs for a wide range of traditional hardware companies that are trying to pivot to the cloud. These software developers probably haven't heard of secure software development lifecycles, so they continue to make many of the same mistakes from the past that will keep the information security community busy long into the future.
One of these traditional hardware companies is Western Digital Corp. (WDC), which has been making hard drives since the 1980s. These hard drives typically include firmware, but little user-exposed software.
WDC offers a personal cloud storage unit -- called Western Digital's My Cloud -- which allows users to connect to a network and access files. Because the security aspects of a product like this are very different than those in a new hard drive, WDC has had many opportunities to improve their software development lifecycle.
The most concerning vulnerability is a default hardcoded password in the My Cloud code. Default passwords are sometimes necessary, and end users should be able to change them when setting up a new system. However, in My Cloud, the account and password are hardcoded in the system software, making it impossible for end users to secure the device by changing the hardcoded password.
There were several vulnerabilities identified in the software, and analysis of the entire system -- including the Linux operating system configuration -- showed that more might be identified. Since the discovery, WDC has released updated versions of the software for end users to install manually.
Individuals and businesses using these products should pressure WDC to improve the security of these devices and incorporate updated functionality into the system itself, or even to use automatic updates. Due to weak system security, enterprises may want to restrict access over the network to only approved systems.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Password management and policy
Related Q&A from Nick Lewis
The new Mylobot botnet demonstrated new, complex tools and techniques that are modifying botnet attacks. Learn how this botnet differs from a typical... Continue Reading
New malware targets cryptocurrency investors through MacOS and chat platforms were recently discovered. Learn how OSX.Dummy malware works and what ... Continue Reading
IBM banned removable storage devices to encourage employees to use the company's internal file-sharing system. Learn how a ban like this can improve ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.