Analyzing a Portable Wireless Storage Device From Zero to Remote Code Execution

This presentation will showcase our findings on the My Passport Wireless Pro device, a remote code execution 0day vulnerability was discovered.

My Passport Wireless Pro is a portable wireless WIFI storage device designed by the famous company Western Digital for outdoor photographers and Internet of Things enthusiasts. It can be used as a wifi server or wifi client to establish a connection with the user’s mobile device. Users can access the data in the storage device through the local area network. This type of IoT product has rarely been discussed at security conferences, and no clear project has been identified. This presentation will showcase our findings on the My Passport Wireless Pro device, a remote code execution 0day vulnerability was discovered. By using this vulnerability, hackers can get the remote root shell of the device operating system without any credentials, and can read and write any data in the hard disk. This vulnerability not only causes the loss of private data, but also can be used as a springboard for a larger attack, that is, spread Trojans on the LAN by infecting certain files located on the storage device. The content of this presentation will cover the entire process of analyzing hardware, analyzing firmware, fuzzing, and exploiting vulnerabilities, as well as our new perspective on IOT device security. Finally, a complete demonstration of remotely acquiring device control and obtaining important files of the device will be given.