For some Western Digital My Book users, another exploit is looming soon. Last month, some Western Digital customers found that their My Book Network Attached Storage (NAS) devices were remotely wiped due to a bug in a product line the company stopped supporting in 2015. What’s worse? There is a similar, recently discovered flaw in a large group of newer Western Digital My Cloud network storage devices. These flaws will remain unfixed for customers who do not upgrade to the latest operating system.
What’s the key issue to be aware of?
There are remote code execution flaws in all Western Digital network-attached storage (NAS) devices running MyCloud OS 3, an operating system that Western Digital only recently ceased support for.
What’s the recommendation for consumer Western Digital customers?
Consumers should move over to the My Cloud OS5 firmware as soon as possible. If your device is not eligible for the upgrade to My Cloud OS 5, we recommend that you upgrade to one of the other My Cloud offerings from Western Digital that support My Cloud OS 5. Learn more here.
Be warned, with the update to OS 5, you will lose some popular features and functionality from OS 3. OS 5 is essentially a complete rewrite of Western Digital’s core operating system. Thus follows, many users may decide they don’t want to migrate to OS 5. However, when your device is wiped from known vulnerabilities, it’s on you.
What should you do if you’re a business using a Western Digital My Book NAS?
Please don’t. Consumers use solutions like this to access large amounts of data locally or remotely. There’s nothing secure or compliant about office-the-shelf internet-accessible NAS devices.
If you’re a business that deals with personal information and feels a NAS device accessible from the internet is the right solution for you, find a competent IT company with a cybersecurity background and review your options. For example, we may recommend a business-class Synology solution paired with a VPN protected by multi-factor if it makes sense.
If you don’t upgrade to OS 5, here is your other option:
Experts also say that MyCloud users on OS 3 can essentially eliminate the threat from this attack by confirming that devices are not set up to be reachable remotely over the internet. While a selling point for Western Digital users is that devices are easily accessed remotely, this also opens devices to known and unknown vulnerabilities (e.g., remotely being wiped without you knowing!).
Do you have questions, get in touch.