Western Digital is still reeling from two different major exploits that were used to remotely wipe the hard drives of its My Book Live products, but the headache has not ended. Several other Western Digital NAS drives running its OS 3 also have a vulnerability that the company won’t fix.
A new report published by security journalist Brian Krebs found that Western Digital products running the company’s My Cloud OS3 software have a zero-day vulnerability that can only be fixed by upgrading to the company’s OS 5 (there is no OS 4).
Two researchers named Radek Domanski and Pedro Riberio originally planned to demonstrate the security flaw last year at a hacking competition, but Western Digital released OS 5 which patched out the bug they found before they could. That new update nullified their work because the competition required entries to work against the latest firmware supported by the targeted device.
The two still published their findings in the video below that documents how the two discovered a chain of weaknesses that allows an attacker to remotely update the vulnerable device’s software with a malicious backdoor using a low-privileged user account that has a blank password.
The problem can be solved by updating to OS 5, but not all devices that run OS 3 can be upgraded to OS 5, and not everyone who owns a device that runs OS 3 wants to upgrade because of changes that the company made to the user experience. Photographers in particular were negatively affected.
Not long after OS 5 was released, users began to complain that the upgrade to was causing major usability issues. In a report from MacWorld, some alleged that upgrading required the complete deletion of storage media and that numerous functions that were beloved and used by the community were missing. For example, some reported that they could no longer access data via the desktop app, WebDAV, or remote dashboard nor were they able to organize the backups via WD SmartWare or WD Sync.
Additionally, OS 5 appeared to break numerous third-party apps that were developed for the system. According to MacWorld, the integration of cloud services from Google, Dropbox, One Drive, and Adobe were also eliminated.
“I have EX2 Ultra 8TB about 1.2TB of data. It has been more than 24 hours indexing. What is going on?” one user reported.
“My fans have been running at 10k RPM solid since yesterday afternoon. I’m watching the HDD temps closely in case the fan craps out,” said another.
“Photography is my hobby. I am using HOME-NAS to store and backup my photos. So I have at least more than 40,000 photos on hand, .jpg, .psd, or .raw,” one user reported. “To be honest, I don’t need a thumbnail at all. I just want my photos to stay safe and I can reach them anywhere (of course with internet). But I don’t have an option to turn the thumbnail off. So now it seems that indexing would not stop, and My Cloud mobile app doesn’t work totally.”
For these reasons, many photographers urged each other not to upgrade from OS 3 to OS 5 because of the issues.
“The My Cloud OS 5 release is a major upgrade that comprehensively upgrades the security architecture of the My Cloud operating system. Like all major operating system upgrades, the upgrade from OS 3 to OS 5 introduced new functionality and retired some older features that were infrequently used or had security concerns. Since the initial release in October of 2020, we have released updates to My Cloud OS 5 every month to respond to customer feedback, address issues, and restore top-used functionality that was omitted from the original release,” a Western Digital representative told PetaPixel.
“To clarify, the upgrade from My Cloud OS 3 to OS 5 has never required complete deletion of storage media. In other cases, functionality is now provided in a different form or application; for instance, the WD Sync and SmartWare applications have been replaced with Acronis True Image for Western Digital, which offers backup and ransomware protection in a single application for Windows and Mac computers. We believe that My Cloud OS 5 offers the best and most secure personal cloud experience we’ve ever released and continue to recommend that all eligible OS 3 users upgrade as soon as possible.”
Western Digital says that the best fix is simply to upgrade to OS 5, which for many doesn’t feel like a solution since that operating system hurts them more than it helps. Unfortunately, Western Digital has openly stated that it has no plans to update OS 3 to fix the problem so that those who still enjoy the many features of that older operating system can also be protected.
If a device doesn’t support the upgrade, Western Digital recommends simply buying a newer system.
“We will not provide any further security updates to the My Cloud OS3 firmware,” the company has stated on a support page. “We strongly encourage moving to the My Cloud OS5 firmware. If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5.”
PetaPixel reached out to NAS manufacturer Synology to ask if Western Digital’s approach to ending support for physical devices — like My Cloud Live or any device that cannot upgrade to OS 5 — was standard in the industry.
The short answer is no, it’s not a standard practice.
“Synology continues to support our NAS devices and DSM past the production life of any given model. The hardware is protected by a minimum two-year warranty, and we continue to offer technical support and DSM updates past the warranty period,” a Synology representative said.
“No matter what piece of tech users are looking to buy, they should always look at the security update guarantees from the vendor. Considering a company’s stance on security and seeing a history of consistent updates and follow through should be a part of everyone’s buying process.”
Western Digital’s NAS offerings were likely chosen over products from Synology due to a mix of brand recognition and the ease of use promised by the My Cloud platform. Synology’s system is more powerful and more easily customized, but it’s not generally seen to be as user-friendly. Clearly, there is a tradeoff though, as Western Digital has repeatedly shown that it will sunset hardware by not supporting it with software updates beyond the production life of the product.
For those who own a device running OS 3 and cannot or do not want to upgrade to OS 5, Domanski and Ribiro developed a free patch to keep the devices safe. Unfortunately, it will have to be reapplied each time the device is rebooted. The drives can also be kept safe by unplugging them from the internet.