Trustwave have released an advisory on a vulnerability found in Western Digital’s My Cloud EX2 storage/backup device.
Trustwave claim that on the default configuration of a new My Cloud EX2 drive allows any unauthenticated local network user to grab any files from the device using HTTP requests. This is due to a UPnP media server that is automatically started when the device is powered on. By default, unauthenticated users can grab any files from the device completely bypassing any permissions or restrictions set by the owner or administrator.
Unfortunately, Trustwave say Western Digital declined to fix this insecure default setting. Instead they recommend that users turn off DLNA if they do not wish to utilise the product feature.
When reached for comment, WD issued the following statement to PC World:
“Security researcher Trustwave recently contacted Western Digital concerning an aspect of WD My Cloud media server capabilities and has reported its perspective. To enable My Cloud users to easily play their media content from a My Cloud system to any device with a DLNA-enabled media player, such as smart TVs or smart phones, My Cloud systems come with Twonky Server. Twonky Server allows access to My Cloud users within the local network without password protection, which is common with any DLNA server software."
"Western Digital recommends that users save their content they want protected with a password in shares for which DLNA capabilities are disabled; or disable Twonky server for the entire system, which would disable only DLNA media server capabilities."
In the advisory the Trustwave SpiderLabs researcher, Martin Rakhmanov, also provides a tool to test devices which can be found here.