My Guest Blogger Eddie Block (CISSP, CIPM, CIPP/G, CISA, CEH) is a senior attorney in Gardere’s Litigation Group and member of the Cybersecurity and Privacy Legal Services Team who focuses on all aspects of information cyber security, including credentialing functions, firewall and IDS deployment and monitoring, and penetration testing, and related complex litigation.  Eddie blogs at JurisHacker.

Bugs in the clouds

Western Digital claims it’s My Cloud Pro Series PR4100 has these features:

With space to keep virtually everything, the My Cloud Pro Series offers your creative team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you’re able to protect your content regardless of OS. And with all photos, videos and files organized in one place, your team has all it needs to streamline its creative workflow.

Amir Etemadieh (Zenofex) of Exploitee.rs has a great write up on a series of vulnerabilities in the Western Digital My Cloud storage appliances.  Zenofex is an amazing vulnerability researcher and all around good guy.

I’m not singling out Western Digital.  I think they make some good products.  The types of flaws that Zenofex found in this appliance are the same type that many IoT and personal “cloud” appliances contain.  The devices are made to be super easy for a consumer to setup and they allow the owner to connect to them from anywhere (many times with a smartphone app).

This ease of setup and access, though, means that they really should be hardened and secured like real commercial production system.  Hardening these types of systems should include changing passwords, closing unnecessary ports, validating and testing interfaces, using encryption at rest and in transit, etc.

This type of hardening is well beyond the average consumer and things like validating web applications for injection attacks is beyond many security professionals.

So, again, I’ll harp on manufacturers.  They need to build in security by default.  They need to test and validate their apps.

Folks like Zenofex do all of us a great service by finding these types bugs in consumer products, but it should not be up to a curious researcher.  It is the responsibility of the vendors to sell products that are safe for deployment.

Leave a Reply

Your email address will not be published. Required fields are marked *