Alright, not to freak you out too much, but that convenient little box by Western Digital called My Cloud that allows you store and access all your digital stuff from any computer anywhere — it’s under attack.
According to Wired, the attack is called Heartbleed and is a flaw in the data encryption of My Cloud that allows the bad guys to get past the firewall and steal information from a machine’s memory. As University of Michigan researchers discovered, the problem isn’t just limited to My Cloud, but many other devices.
The number of devices still at risk is harrowing: HP printers, Polycom video conferencing systems, WatchGuard firewalls, VMWare systems, and Synology storage servers. Weaver counts tens of thousands of users of the Parallels Plesk Panel web hosting control panel that are vulnerable too — those could become a prime target of hackers looking to take control of websites.
A spokesperson for HP, Michael Thacker assured HP users in April the company was on top of it. “HP is developing firmware updates for any consumer printing devices that may be impacted, and customers should install them when they become available. Asmall number of consumer printer models are impacted.”
Even if you’re not an HP user or using My Cloud, what makes the Heartbleed issue especially concerning is that the type of hack can be used to lift info from any number of devices. It could be something as simple as a session cookie that a hacker uses to gain device access.
Anything that needs to connect securely over the internet could have a Heartbleed problem. But Weaver and the University of Michigan team found that many devices that used OpenSSL were not vulnerable — either because they used an old version of the software library, or because the buggy OpenSSL feature that contains the flaw wasn’t enabled. “This vulnerability is only present if your devices is accepting heartbeat messages,” says Zakir Durumeric, a PhD student at the University of Michigan. “And what we’ve found is that many devices on the internet that do not accept heartbeat messages.”
It’s probably a good idea to keep your data storage locally and avoid the quick easy non-encrypted cloud.