Owners of Western Digital network attached storage (NAS) devices may have yet another security headache on the horizon. Following the two flaws hackers exploited to , security journalist Brian Krebs has on another zero-day vulnerability that affects Western Digital products running the company’s My Cloud OS3 software. What’s more, it doesn’t appear there will be an official fix for those who don’t upgrade to a newer storage solution.
Earlier in the year, security researchers Radek Domanski and Pedro Ribeiro discovered a series of weaknesses that allow a malicious actor to remotely update a My Cloud OS3 device to add a backdoor. The two say they never heard back from the company when they tried to contact it about the vulnerability. Western Digital attributes its response (or lack thereof) to one of its previous policies.
“The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions,” a spokesperson for the company told Krebs. “We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again.”
While the flaw isn’t present in Western Digital’s new My Cloud OS 5, it’s unclear if the company ever went back to address it in My Cloud OS3. What’s more, it no longer plans to support the older software. “We will not provide any further security updates to the My Cloud OS3 firmware,” Western Digital says in a dated to March 12th, 2021. “We strongly encourage moving to the My Cloud OS 5 firmware. If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5.”
We’ve reached out to the company for more information. In the meantime, you can protect your My Cloud device by Domanski and Ribiro developed. One thing to note is you’ll need to reapply it each time you reboot your device. You can also protect your My Cloud NAS drive by limiting its access to the internet.