Beware Western Digital My Cloud users, your file is accessible to anyone !

netant

Well-Known Member
Adept
Oct 12, 2012
284
108
82
Those planning to buy Western Digital My Cloud, avoid it.
Those who already have them read this very seriously.

WD has injected their devices with hard-coded backdoor to access your data.

WD devices allow remote backdoor admin access
WD devices allow remote backdoor admin access through the username “mydlinkBRionyg” and password “abc12345cba”.
Source:-
1. https://www.theverge.com/2018/1/11/16877680/western-digital-cloud-devices-vulnerability
2. https://www.csoonline.com/article/3246234/security/hardcoded-backdoor-in-12-western-digital-my-cloud-nas-devices.html



Not only this , they sell your private data and tack your usage and browsing pattern. ( they declared it here https://www.wdc.com/about-wd/legal/third-party-analytics.html)

We currently use Flurry, Crashlytics, Sumo Logic, and Google Analytics to track and report on the usage and browsing patterns on some of our software applications.

For Flurry’s privacy policy, please see https://policies.yahoo.com/us/en/yahoo/privacy/index.htm. You may opt-out of Flurry by following this link: https://dev.flurry.com/secure/optOut.do.

For Crashlytics’s privacy policy, please see http://try.crashlytics.com/terms.

For Google’s privacy policy with respect to Google Analytics, please see http://www.google.com/analytics/learn/privacy.html.

For Sumo Logic’s privacy policy, please see https://www.sumologic.com/privacy-statement/.

Western Digital's My Cloud is a popular storage/backup device that lets users backup and store important documents, photos and media files. Unfortunately the default configuration of a new My Cloud EX2 drive allows any unauthenticated local network user to grab any files from the device using HTTP requests.

Source:- https://www.trustwave.com/Resources/SpiderLabs-Blog/WD-My-Cloud-EX2-Serves-Your-Files-to-Anyone/

Someone mentioned a workaround to these venerability-
Code:
As for how to remove since the OS is based on debian it’s fairly easy.
You can manually stop the services first if you are nervous using.

service nameofservicehere stop

List of services:
apache2
itunes
mDNSResponder
openvpn
wdphotodbmergerd
twonky
smartd
upnp_nas
wdVftEntry
wdmcserverd

Then you can either remove them entirely with dpkg -r servicename

or just disable on startup by using rcconf.
apt-get install rcconf
then disable the services listed above.
which are too much technical for a normal user, specially who will opt for WD Cloud instead of building their own NAS.

Any Linux expert if care to explain the above steps in details for less technical user would be really appreciated.

EDIT:-

here is the live video to exploit.
 
Last edited:

netant

Well-Known Member
Adept
Oct 12, 2012
284
108
82
i know how to access SSH :) i modified my media server from there using putty to suit my taste.
i was talking about the unwanted services which allows this drive to access "internet". ( currently mentioned a localhost IP in DNS field to restrict internet)

"Then you can either remove them entirely with dpkg -r servicename" --- its throwing error when im trying to execute it.

i want to strip down/ uninstall all components which allows internet access, just want to keep the media server - which should be only accessible from LAN.

EDIT:- trying to disable them using cornjob
 
Last edited:

6pack

Well-Known Member
ex-Mod
Sep 19, 2005
7,462
1,502
302
dpkg -r servicename

dpkg = package manager; -r = remove, servicename = name of service.

if you want to remove itunes, then : dpkg -r itunes

if that is giving you errors, pasting the error here would help in diagnosing the problem. Another method to remove the programs is using apt.
ex: sudo apt-get remove itunes

there needs to be apt-get in the system though.
 
  • Like
Reactions: netant

netant

Well-Known Member
Adept
Oct 12, 2012
284
108
82
Replace servicename with apache2
if you want to remove itunes, then : dpkg -r itunes
currently disable stuffs in corntab something like this
Code:
@reboot /bin/sh /etc/rc2.d/S86wdphotodbmergerd stop
@reboot /bin/sh /etc/rc2.d/S85wdmcserverd stop
@reboot /bin/sh /etc/rc2.d/S50netatalk stop
@reboot /bin/sh /etc/rc2.d/S60mDNSResponder stop
would like to to remove these services (keep only marked in green):-
  1. apache2
  2. itunes
  3. mDNSResponder
  4. openvpn
  5. wdphotodbmergerd
  6. twonky - will keep this due to media server
  7. smartd
  8. upnp_nas - twonky dependency
  9. wdVftEntry
  10. wdmcserverd
tried removing them , its throwing this error:-
Code:
crontab: installing new crontab
MyCloud:~# dpkg -r mDNSResponder
dpkg: warning: ignoring request to remove mdnsresponder which isn't installed
MyCloud:~# dpkg -r wdphotodbmergerd
dpkg: warning: ignoring request to remove wdphotodbmergerd which isn't installed
MyCloud:~# sudo dpkg -r mDNSResponder
dpkg: warning: ignoring request to remove mdnsresponder which isn't installed
MyCloud:~#
also in autorun, path /bin/sh /etc/rc2.d/ i can disable the scripts by prefixing a "K" running after reboot. which says
The scripts in this directory are executed each time the system enters
this runlevel.

The scripts are all symbolic links whose targets are located in
/etc/init.d/ .

To disable a service in this runlevel, rename its script in this
directory so that the new name begins with a 'K' and a two-digit
number, and run 'update-rc.d script defaults' to reorder the scripts
according to dependencies. A warning about the current runlevels
being enabled not matching the LSB header in the init.d script will be
printed. To re-enable the service, rename the script back to its
original name beginning with 'S' and run update-rc.d again.
now this seems to be easy method then corntab , just replace S with K, but running update-rc.d is again giving error.. do i have to run this for each individual services like
Code:
update-rc.d S86wdphotodbmergerd disable
------------

EDIt:- in corn shall i disable this /etc/init.d/wdphotodbmergerd stop instead of the startup script ?
 
Last edited:

chetansha

Well-Known Member
Veteran
Jun 30, 2007
1,709
671
202
Coimbatore
Have you checked on wd community?
currently disable stuffs in corntab something like this
Code:
@reboot /bin/sh /etc/rc2.d/S86wdphotodbmergerd stop
@reboot /bin/sh /etc/rc2.d/S85wdmcserverd stop
@reboot /bin/sh /etc/rc2.d/S50netatalk stop
@reboot /bin/sh /etc/rc2.d/S60mDNSResponder stop
would like to to remove these services (keep only marked in green):-
  1. apache2
  2. itunes
  3. mDNSResponder
  4. openvpn
  5. wdphotodbmergerd
  6. twonky - will keep this due to media server
  7. smartd
  8. upnp_nas - twonky dependency
  9. wdVftEntry
  10. wdmcserverd
tried removing them , its throwing this error:-
Code:
crontab: installing new crontab
MyCloud:~# dpkg -r mDNSResponder
dpkg: warning: ignoring request to remove mdnsresponder which isn't installed
MyCloud:~# dpkg -r wdphotodbmergerd
dpkg: warning: ignoring request to remove wdphotodbmergerd which isn't installed
MyCloud:~# sudo dpkg -r mDNSResponder
dpkg: warning: ignoring request to remove mdnsresponder which isn't installed
MyCloud:~#
also in autorun, path /bin/sh /etc/rc2.d/ i can disable the scripts by prefixing a "K" running after reboot. which says


now this seems to be easy method then corntab , just replace S with K, but running update-rc.d is again giving error.. do i have to run this for each individual services like
Code:
update-rc.d S86wdphotodbmergerd disable
------------

EDIt:- in corn shall i disable this /etc/init.d/wdphotodbmergerd stop instead of the startup script ?
 

6pack

Well-Known Member
ex-Mod
Sep 19, 2005
7,462
1,502
302
dpkg: warning: ignoring request to remove mdnsresponder which isn't installed
Naturally. It can't remove something that is not installed on your system.
To disable a service in this runlevel, rename its script in this directory so that the new name begins with a 'K' and a two-digit number, and run 'update-rc.d script defaults' to reorder the scripts according to dependencies.
A warning about the current runlevels being enabled not matching the LSB header in the init.d script will be printed. To re-enable the service, rename the script back to its original name beginning with 'S' and run update-rc.d again.
Just prefix them with K. example Instead of the S86wdphotodbmergerd it becomes K86wdphotodbmergerd
Do this for all the unwanted stuff and then run this in terminal once -

MyCloud:~# update-rc.d script defaults

It probably tells the update script to see if any scripts have the Kxx number prefixed to them and then disables those services and redoes the update script.
 

netant

Well-Known Member
Adept
Oct 12, 2012
284
108
82
Do this for all the unwanted stuff and then run this in terminal once -

MyCloud:~# update-rc.d script defaults
tried running its saying
Code:
MyCloud:~# update-rc.d script defaults
update-rc.d: /etc/init.d/script: file does not exist
best thing i have put everything in corn, as
Code:
@reboot /etc/init.d/wdphotodbmergerd stop
@reboot /etc/init.d/wdmcserverd stop
@reboot /bin/sh /etc/rc2.d/S86wdphotodbmergerd stop
@reboot /bin/sh /etc/rc2.d/S85wdmcserverd stop
@reboot /bin/sh /etc/rc2.d/S50netatalk stop
@reboot /etc/init.d/mDNSResponder stop
@reboot /bin/sh /etc/rc2.d/S60mDNSResponder stop
@reboot /bin/sh /etc/rc2.d/S04apache2 stop
in this way i can see what i have disabled at one place.[DOUBLEPOST=1528188082][/DOUBLEPOST]
Have you checked on wd community?
yes WD community is helpful.

Things were good until firmware version 04.04.00 after that WD start injecting stuffs, creating backdoor.

I guess now made my device little secure by :)
 
Last edited:
  • Like
Reactions: 6pack

6pack

Well-Known Member
ex-Mod
Sep 19, 2005
7,462
1,502
302
I guess it was:

MyCloud:~# update-rc.d wdphotodbmergerd defaults

I think script refers to the name of the script. So you will have to run the command for each script. Since you've already stopped them in cron, i don't think its required now.
 
  • Like
Reactions: netant