In some ways, but these things happen… if known about the exploit becomes known about, so every device is a potential target for a hacker.
I guess these sorts of low cost consumer devices don’t have ITHCs applied, but equally one should then therefore limit the value of what stores on them,
Things happen, but these things (checking in code that disables central security features into the production code, and apparently without any review) really should not.
Of course, now that it’s out, any of these boxes is a target. On the other hand, leaving a WD Mybook accessible from the wider internet was always asking for it.
You can perhaps understand why I suggested what I did earlier on… one might be quite shocked or surprised by the vulnerabilities that are out there…
If it’s of value, don’t have connected to the internet, unless you have robust equipment that is certified for it.
Yes, I know, read enough stories. Nevertheless, this is neither an intentional backdoor nor a security hole caused by a bug due to poor coding. Even the most basic measure should have caught it. I mean, NO reviews?
I can’t say here, but this is absolutely not limited to WD. By the way I would regard this as a bug in identity controls management
Sure. Still 
Right, it was introduced in 2011 after a sloppy developer made changes to the procedure and commented out the privilege check for easier local testing. Support for the device/firmware ended in 2015, so apparently for 4 years it wasn’t spotted by anyone that the code was commented out.
Most software development teams these days use automated tests for these kinds of critical vulnerabilities:
It’s really quite astounding that WD didn’t have those in place, especially considering these were end-user managed, often internet facing devices.
Not really… unit testing is functional code testing. Critical vulnerabilities is assessed separately by ITHC.
If the software DevOps does not go through this then the software can’t really be considered for critical use for precisely these reasons.
Well okay it can be tested in multiple layers, but usually i would say that authentication is a critical part of unit testing as well. Good auth = go, bad auth = fail.
I agree, it’s the vulnerability angle I was coming from… ie sloppy or errant coding as here
Yes this example in the WD firmware is just really stupid, very poor quality control…
But as you say it happens a lot, and often in companies that we trust with our communications or data. This other recent example was really bad as well:
Cybercriminals Ramp Up Exploits Against Serious Zyxel Flaw | Threatpost.
More than 100,000 Zyxel networking products could be vulnerable to a hardcoded credential vulnerability (CVE-2020-29583) potentially allowing cybercriminal device takeover.
The vulnerability stems from Zyxel devices containing an undocumented account (called zyfwp) that has an unchangeable password – which can be found in cleartext in the firmware, according to Niels Teusink at EYE, who discovered the flaw and published his analysis in tandem with Zyxel’s December advisory.
Yes, I guess you pay for what you get, and mass produced low cost consumer products will have limitations… I would prefer to see a warning for users that such devices should not be used for storing information of value…
You are better off using cloud storage from a reputable service provider with a form of MFA… or for really valuable assets use an encrypted dongle / store that is kept disconnected and store in a fire safe… which is what I use.
To me it is the integrity of 3rd parties sw/systems that hold my personal data that most concerns me e.g banks voice data comms HM government, I have no idea how secure they are.
None of those will be using WD Mybooks….
Yes and for at home i usually prefer open source solutions, instead of commercial NAS products that contain unknown code.
No, they will be using WD MyPassports. So much easier to slip into your pocket for that train ride back home.
On the whole in the UK I am sure you can be reasonably confident with HM Gov… sure accidents, mistakes and compromises happen from time to time, but the standards are very high through the NCSC… the UK is pretty advanced in cyber security standards and implementation. The NCSC also provides guidance for all.
https://www.ncsc.gov.uk/
True but that wasn’t my point I am talking about the businesses systems, in large companies they may be slow to upgrade 3rd party systems they use eg windows and because the product gets so embedded in the business and tweaked it’s difficult to upgrade and hence late to implement security updates in updated releases of the 3rd party products they use.
Yes standards are high, however re staff you cannot always control what happens working from home and they may take shortcuts. I have worked for Ericsson and EDF and the potential is real. Even at the office it only takes I employee to upload a bug from an email.
I agree, people are often the weakest link. Government security clearances help… but only to a degree… and the higher levels are significantly about integrity and susceptibility to coercion and blackmail.