Locked out? Don’t worry, here’s the hardcoded password for your WD My Cloud NAS device

Yes, it works remotely.

Locked out? Don't worry, here's the hardcoded password for your WD My Cloud NAS device

Security researcher James Bercegay found a glaring security hole in the Western Digital MyCloud family of storage devices back in June 2017.

He discovered that, amongst other vulnerabilities, a hidden firmware backdoor allowed anyone to login remotely, using the username mydlinkBRionyg, and the somewhat underwhelming password abc12345cba.

Which is really rather handy I have to admit, especially if you’re the kind of person who finds remembering passwords a right royal pain in the backside and want to access your personal stored files while you’re away from home.

Sign up to our free newsletter.
Security news, advice, and tips.

What isn’t quite so marvellous is that, sadly, someone might use the same credentials (and yes, they are apparently the same on all affected WD devices) to log into your personal files remotely. In fact, the existence of default login credentials could even be used in a Mirai-style attack.

The following Western Digital devices are said to be vulnerable:

  • My Cloud
  • My Cloud Mirror
  • My Cloud Gen 2
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud DL2100
  • My Cloud DL4100

Like any good vulnerability researcher, Bercegay informed the vendor about the problem, and Western Digital requested that he wait 90 days before publicly disclosing the flaw, giving them time to fix it.

Unfortunately, after six months, Western Digital still hadn’t issued any fixes. So, now we all know about it.

And that seems to have – finally – stirred Western Digital into action. Customers are advised to install firmware version 2.30.174 to remove the bonkers backdoor.

Regular readers will note that this isn’t the first time that WD My Cloud devices have been found to contain concerning vulnerabilities.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

10 comments on “Locked out? Don’t worry, here’s the hardcoded password for your WD My Cloud NAS device”

  1. A

    https://blog.westerndigital.com/western-digital-cloud-update/ stats that fix is in 2.30.172 not 2.30.174

    1. Graham CluleyGraham Cluley · in reply to A

      Hmm. That's odd. Bercegay in his disclosure says that the fix is to update to firmware version 2.30.174. Maybe WD fixed it in 2.30.172, but they had got to 2.30.174 by the time of Bercegay's advisory? It's a mystery…

      Anyway, WD My Cloud users – update to the latest version, whatever that is.

  2. Etaoin Shrdlu

    "and won't to access your personal stored files"

    1. Graham CluleyGraham Cluley · in reply to Etaoin Shrdlu

      Whoops. Typo fixed. Thanks

  3. Chris

    Updating my Mycloud as we speak but it says latest version is

  4. furriephillips

    They're not the only culprits for this kind of underhand and short-sighted practice. These IP cameras have definitely got a hard-coded user:pass that is not documented or user-manageable. http://amzn.to/2Dpeym3

    1. furriephillips · in reply to furriephillips

      And it's on their uncloseable telnet port! *eyeroll*

  5. DeeeeLink

    Note the 'D-Link' connection… D-Link SUCK at security, in my (limited) experience…

  6. michael malone

    Mr. Cluley,
    Thank you for "the hardcoded password for your WD My Cloud NAS device" very much appreciated. I have a question which I hope you might have a direction or answer for me. I have a WD My Cloud Mirror and recently it's power light has been blinking blue and will not allow me to have access to my information.

    Do you know if there is anything I can do to fix this?

    Thank you so much,

  7. Bert Rievers

    I am also confused. Looking for real root-access (some files are not accessible/editable from ssh user in putty or winscp) I stumbled onto this article. It is 2021 now and I just checked my WD MyCloud EX4. The above hack doesn't work, the firmware version number is 2.12.127 (!). The last update is supposed to have been at "Thursday 2020 november 19 14:49:24" and after checking it reports that there are no updates available. Actually I am pleasantly surprised that WD updated this device's firmware so recently (probably only a security update, perhaps due to above mentioned vulnerability) since it is several years old and has still some quite outdated software (undoubtable also with security issues) like a very, very old MYSQL and PHP/phpMyadmin version. Also apps like "Joomla!" are very old and as good as obsolete indeed. I was hoping they would have updated that also, but alas…

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.