Tuesday March 07, 2017

Western Digital Responds to MyCloud Security Issues

We ran a quick story yesterday about the multiple security issues identified in Western Digital's MyCloud product line, and at the time we had reached out for comment, but were asked to wait for a reply. WD got us over a response just a bit ago. Here it is in its entirety with links embedded instead of typed out.

Western Digital is aware of recent reporting of vulnerabilities in its My Cloud family of products, including related to vulnerabilities previously reported by Steven Campbell that were addressed with the firmware update made available on December 20, 2016. We are reviewing the recent exploitee.rs report and based on a preliminary evaluation, a change to address one exploitee.rs reported issue has already been made in the December update. Additionally, if we determine the report has identified any new issues, we will address those soon based on the severity of the issues, the existence, if any, of ongoing attacks, and the potential customer disruption of an unscheduled update. We recommend My Cloud users contact our Customer Service team at https://support.wdc.com/support/case.aspx if they have further questions; find firmware updates at https://support.wdc.com/downloads.aspx?lang=en#firmware; and ensure their My Cloud devices are set to enable automatic firmware updates.

Western Digital appreciates and encourages disclosure of potential vulnerabilities uncovered by security researchers such as Steven Campbell under the responsible disclosure model practiced by the security community. This balanced model acknowledges the contributions of security researchers, allows Western Digital to properly investigate and resolve concerns, and most importantly protects our customers from disclosure of exploits before a patch is available. As evidenced by our work with various researchers such as Steven Campbell, Versprite and others, we work closely with the security community to address issues and safely meet our customers’ needs. If exploitee.rs had followed this model as other security researchers have and contacted us with that spirit in mind prior to publishing their report, they would have known of our current work and progress toward a resolution in this case.

News Image

Interesting to see WD put this back on exploitee.rs for not "following" its security model. That said, the site did address exactly this in the story linked yesterday, and pretty much laid it out that WD's security efforts are paltry at best.

Responsible Disclosure - At Exploitee.rs, we normally attempt to work with vendors to ensure that vulnerabilities are properly released. However, after visiting the Pwnie Awards at the last BlackHat Vegas, we learned of the vendor’s reputation within the community. In particular, this vendor won a "Pwnie for Lamest Vendor Response" in a situation where the vendor ignored the severity of a set of bugs reported to them. Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure is worked out. Instead we’re attempting to alert the community of the flaws and hoping that users remove their devices from any public facing portions of their networks, limiting access wherever possible. Through this process, we’re fully disclosing all of our research and hoping that this expedites the patches to users’ devices.

My thought is that WD would have been better off to not shoot the messenger about its security issues, but rather fix it.

Ongoing Discussion