In a revelation that should surprise exactly nobody, security researchers have revealed that Western Digital MyCloud drives have a built-in backdoor. AI hard-coded username and password give privileged command line access to the device, which may then be compromised however the attacker sees fit.
feature defect was disclosed responsibly enough to WD last July. After six months without a fix forthcoming, the researchers went public with it.
My usual handling of devices like this is to presume they are all similarly compromised. I do not, repeat, NOT connect them to their “cloud” services. In fact, I only use items like these if I can see how they can be used in a state where they are specifically forbidden from connecting to the Internet, and still be worthwhile to me.
With this one, at least, it turns out my level of paranoia is insufficient. A malicious webpage, visited from a machine on the same local area network as this MyCloud, can execute a script that pwns the device. Now I have to consider whether all such devices can reasonably be expected to have the same mode of possible compromise.