SEC Consult Vulnerability Lab issued an advisory disclosing serious vulnerabilities for the Western Digital My Cloud personal storage device. Graham Cluley summarized the advisory in a recent post. The recommendation is to disconnect the device from the network until fixes are available. Some of the vulnerabilities are pretty bad. As an example, the bad guys could use a cURL request to upload a malicious file to the device that could allow them to take control of the device. But wait, there's more. The firmware for Western Digital's My Cloud doesn't come with a mechanism designed to protect against cross-site request forgery attacks. This means that an attacker can pretty much do anything they want from the Internet.
Personal storage devices connected to the Internet can cause a world of hurt. It's convenient to just connect them to the Internet and have remote access to your data from the outside world. The problem with a large number of these devices is that they are consumer units with little concern for security. Besides, let's face it. Most people just leave them at default settings too, which makes the situation even worse.
E-mail: firstname.lastname@example.org Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology