Regular readers will note that this isn’t the first time that WD My Cloud devices have been found to contain concerning vulnerabilities.įound this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post. Customers are advised to install firmware version 2.30.174 to remove the bonkers backdoor. So, now we all know about it.Īnd that seems to have – finally – stirred Western Digital into action. Unfortunately, after six months, Western Digital still hadn’t issued any fixes. Like any good vulnerability researcher, Bercegay informed the vendor about the problem, and Western Digital requested that he wait 90 days before publicly disclosing the flaw, giving them time to fix it. The following Western Digital devices are said to be vulnerable: In fact, the existence of default login credentials could even be used in a Mirai-style attack. And according to Q&A research, there are quite a few methods to retrieve the power-on password, while it is not easy to unlock a locked hard drive if without a password. What isn’t quite so marvellous is that, sadly, someone might use the same credentials (and yes, they are apparently the same on all affected WD devices) to log into your personal files remotely. However, we will be trapped in a plight when we forgot our password.