Western Digital NAS devices are primarily marketed as secure, remote backup storage for homes and small businesses. They’re often deployed in environments with a relatively low risk of theft or intrusion, such as locked server rooms in data centers.
Unbeknownst to most users of these devices, however, Western Digital also provides a hidden backdoor that allows attackers to read the contents of a remote WD My Cloud device over the Internet and remotely wipe it clean with little more than a few simple commands.
To be clear: This vulnerability isn’t some kind of world-ending exploit that grants attackers administrator privileges on your NAS device or something like that. Rather, it’s another example of how even the smallest software bugs can have disastrous real-world implications if left unaddressed.
Ultimately, this research demonstrates why it’s important to AVOID untrusted network shares wherever possible and never upload sensitive data to cloud services without reading their privacy policies first.
How The Vulnerability Works
Western Digital NAS My Cloud devices are embedded Linux machines. Like all devices running Linux, they have built-in SMB services by default. SMB is a network file sharing protocol designed to work on Windows machines and non-Windows devices.
SMB is often unsecured and is among the first ports to get targeted by hackers, even without an exploit. On a remote My Cloud device, an attacker could access the /share folder, which normally would be accessible only to a local user account (e.g., “Administrator”).
Once an attacker has read access to the /share folder, he or she can list the user accounts found on the device and see the amount of disk space each user account consumes.
Remote Wipe Exploit Process
The researchers, who are part of the Positive Technologies research team, found a vulnerability in the My Cloud devices where authentication was not required when attempting to execute the Wipe Remote Device command. Remote wipe and data erasure are two different things.
Data erasure removes the file name but leaves the actual data intact. Remote wipe removes both file name and data. Data erasure is seen as a legitimate feature, whereas remote wipe is only supposed to be used in extreme cases. From an attacker’s perspective, the most efficient method of erasing data from a Western Digital NAS device is to use the Cloud Wipe function.
This function can be triggered from the web console of the device and is designed to execute an erase command on the device being controlled by the web console. The device will then delete all data stored on the device.
Remote Wipe by Default?
Initially, the researchers assumed the remote wipe function might be enabled by default in the web console. This would be a huge oversight by Western Digital, given the potential for abuse. Unfortunately, it turns out that this function isn’t enabled by default.
An attacker must get a valid username and password to log into the web console and enable the remote wipe function. To be clear: There is no indication that attackers would be able to obtain valid login credentials. But, as we know, credential harvesting is one of the most common attacks.
What’s more, My Cloud devices with default settings are available on the Internet, which makes them an easy target for attackers.
Other Ways to Wipe a Western Digital NAS Device
If an attacker cannot log into the web console, he or she can still attempt to remotely erase a device by using the Wipe command. The Wipe command is designed to erase data from a specific partition on the device. It does not erase the device’s content as a whole. Remote wipe from the command line is disabled by default, so an attacker must log in to the device and enable the remote wipe function.
What Does This Mean for Users?
The primary implication of this research is that sensitive data should never be uploaded to a cloud NAS service. While the risk of authentication credentials being obtained via man-in-the-middle attacks or other methods is real, there are far safer ways to store data. At the very least, users should avoid uploading sensitive data to cloud NAS services with default settings.
Remote wipe is a feature that can be useful in certain situations, such as when a device is infected with a virus or has been stolen. Because remote wipe is not enabled by default on the device, it would take an attacker quite some time to gain access to a device and then remotely wipe it.
Conclusion
Internet-connected devices such as the Western Digital NAS pose a significant risk to their owners. These devices often have admin accounts enabled by default, meaning that a remote attacker who discovers their IP address can easily log in and access data that has been shared using the device’s network share feature. Malicious actors can also use remote devices to launch distributed denial of service attacks against other systems.
To protect yourself against these risks, it’s important to regularly scan your network for devices connected outside of a secured network environment. You can also use a software-based firewall to help mitigate risks associated with Internet-connected devices. The Western Digital NAS, while a great network backup device, like many other devices, has default settings that must be changed to ensure your network and your data are safe from external forces.