RE: Western Digital at Pwn2Own 2021

Here we go with the locked announcement threads again, which is a terrible way to earn any semblance of TRUST. What is WD so afraid of?

Anyway, in my opinion these “Pwn2Own” events are little more than a sham designed to allow companies to foster the outward appearance of enhanced “security”. Sure, a lot of very talented people participate, but large cash bounties (bait) are clearly the main reason why.

All Western Digital NAS devices have a wide open avenue of attack (among many) that’s rarely mentioned, and if I were a malicious attacker, it’s the method I would use. Simply create malicious (functional) apps with the potential to become popular, if such a word can even be used to describe My Cloud devices, then trigger a hidden payload to do… whatever.

Boom, you’ve just been pwned, and you never saw it coming.

The PR4100 was breached. Reported here: https://www.grc.com/sn/SN-844-Notes.pdf pages 3-5.