I have multiple WD My Cloud 4 TB drives with latest firmware and have attached WD My Book 4 TB USB 3 (NTFS) drives to them for safepoint backup. No matter what I try the safepoints can be accessed from within my Windows networks without password which is a big security issue as everyone can see and access all files that are backed up. Setting public access to off for the mandatory safepoint auto-share and removing access for all users on the auto-shared safepoint share has no effect, sometimes the share asks for a password but after a My Cloud reboot permissions seem to change again and access to the safepoint share is public again. I have tried reformatting the USB drive and recreating the safepoint but this does not help. I expect there is some severe bug in the firmware because I have found multiple similar posts here in the forum but none of these has a solution.
This is a big security problem and as I said it concerns the safepoints of all my My Cloud drives which are in different networks. Therefore I hope that WD will look at this and fix it ASAP. Otherwise all files from all shares are accessible to everyone in the Windows network.
Anguel
UPDATE: Right now SAFEPOINT auto-share permission is set to Public Access (!) but the drive (finally) asks for a password when I try to access the SAFEPOINT folder, this seems to work also after a reboot. The question is why and for how long this will work. There is definitely something wrongâŠ
As far as i know the safepoints are not password protected, what happens when you try to do a safepoint to another one of your Mycloudâd and on a private share?
You can also post a suggestion on our ideas board:
As far as i know the safepoints are not password protected, what happens when you try to do a safepoint to another one of your Mycloudâd and on a private share?
I know that the safepoints are not password protected. The problem here is different: I donât want WD Mycloud to expose the safepoint as a public (!) share to the whole Windows network as it happens because of some obvious bug. The problem is, that all backuped files including those from all private shares become visible to the whole Windows network because the sharepoint drive is auto-shared as a public (!) share for some reason. Any files which are protected in private shares become exposed and visibloe this way. This makes the whole purpose of private shares uselessâŠ
I will give an example (BTW cloud functionality is turned OFF):
I create 3 private shares on the MyCloud drive: PRIVATE_1, PRIVATE_2, PRIVATE_3 and only specific users USER1, USER2, USER3 are given access to these.
Now I attach a freshly formatted NTFS USB MyBook drive labeled SAFEPOINT to the MyCloud and create a safepoint for backups on this drive. As soon as I do this, the MyCloud creates an auto-share called SAFEPOINT which cannot be deleted. Additionally this new share is public (!) and its permissions cannot be set in a logcal way, so it is unprotected, i.e. everyone on the networks can access all backed up files from PRIVATE_1, PRIVATE_2, PRIVATE_3 without having to enter passwords which makes the private shares useless. Now I have played around with access settings for the SAFEPOINT share and access is currently set to PUBLIC but now the share suddenly asks for a password as soon as I want to access it - there is definitely something wrong in firmware!
Regarding your suggestion: I donât want to do backups to some other MyCloud, I want them on my USB drive which is directly attached to the MyCloud. WD supports this configuration, I have bought their drives for this reason and I want them to make it work properly.
Was this fixed? Seems like having a safepoint gives everyone on the network back door access to bypass permissions set on the shares?
I had the same issue and revoked all permissions from the safepoint share but then safepoint disappeared after reboot. Maybe it needs public access to function? So I couldnât get safepoint to work securely for long periods of time. This seems like a critical issue that warrants a Response from WD.
I bet some companies are storing payroll data on locked down WD drive⊠With safepoint attached itâs a ticking litigation time bomb.
A company that chooses a low cost CONSUMER device with limited security options as a backup drive to host sensitive information or data is making poor choices. The lower end, single bay My Cloud units are not designed for a business environment where there is a strong need for security and redundancy. The units are designed for the home user.
Generally if one sets the Share created when one inserts the USB drive to Private (i.e., Public Access to off) and then configures User Access to that Share, those Users granted access (Full Access or Read Only) should be prompted to enter a password to access that Share and its contents.
Edit: There is also a well discussed in this subforum a bug with the current firmware that duplicates the name of the USB Share which causes Safepoint to fail to find the USB Share. The solution is to delete the USB Share (after removing the USB drive) and rename the new Share that is created back to the old Share name used when the Safepoint was created.
Youâd be surprised at how many small and mid sized businesses use consumer grade equipments.
At any rate, I suspect most small/mid sized businesses wonât care about IOPS, wonât have heavy enough load to make real time fault tolerance necessary, and probably donât have to worry about corporate espionage or attacks from nation state. In short consumer grade equipment can provide a sensible ROI when itâs properly backed up.
Regardless of whether weâre talking about consumer or enterprise gear though, by default, My Cloud opens back door access to ACLed shares when safepoint is setup using a usb connected drive. This seems like a serious flaw. Itâs akin to a smartphone that leaks all photos. I donât think people will care if theyâre using a consumer grade iPhone or a enterprise ready / fortified device. No one in their right mind will think this is ok regardless of the device rating. Itâs a bad bug that has been in the firmware for atleast 8months since the original post went up.
Beware, all MyCloud and MyBook âadvancedâ features are full of bugs. MyCloud security does not work and I also lost safepoints after firmware updates. I locked a MyBook drive and although I am 100% sure that the password was correct I could not unlock it on a different PC anymore, fortunately I had set auto-unlock on the first PC so I did not lose all data. Since than I donât use these drives for anything serious anymore but for simple secondary data storage. Make sure you always have a second backup of that data! BTW, such bugs donât have anything to do with consumer vs business, it is just showing gross negligence regarding cutomerâs data, especially regarding the fact how many of these units are sold.
And one more thing: Never expose MyCloud drives to the internet.
No I wouldnât be surprised at how many businesses both large and small use cheap consumer equipment because they cannot afford or do not want to spend the amount of money they should to properly secure their data and establish proper backup procedures. See it all the time. Fact is the lower cost My Clouds are not geared for enterprise security/backup. They are geared at the average Joe home user who needs a basic NAS that has basic remote capabilities and have basic features including backup and media serving.
Are there security issues with the My Cloud? Yes. There are several other threads that go into those issues. Will WD address some or most of those security issues? Who knows, my wild totally speculative guess is probably not due to the nature (and low cost) of the device.
Currently one can configure the USB Share to Private and configure all Users for No Access to that Share. That will generally prevent someone from being able to access that Share for as long as it is connected to the My Cloud. Safepoint will still be able to backup the My Cloud to that now Private Share. Once that USB drive is removed from the My Cloud and attached to another PC the data generally will be accessible.
The issue of the disappearing Safepoint with the latest firmware has been discussed in several prior threads. For the issue of the USB Share being renamed and the My Cloud being unable to find the Safepoint on the USB Share, the solution/workaround is mentioned in the following post:
Basically it involves removing the USB drive, deleting any remaining USB Shares from the Dashboard UI, then reattaching the USB drive and renaming the Share back to its original Share name, at which point the Safepoint backup should reappear within the Dashboard.
And yes the My Cloud firmware is full of bugs. And yes it seems like each firmware version fixes one set of bugs but also introduces a whole new set of bugs. Is it frustrating? Absolutely. For the average home user who needs a basic cheap/low cost NAS box with basic remote access and backup options for their photos/music/videos and other data, the My Cloud generally even with some of these bugs and security issues will work fine. For others who need more full featured and mature NAS it will not.
This device isnât fit for home use either. The justification I keep hearing is akin to saying its ok for cheaper device manufacturer to be negligent with customer safety. Itâs akin to arguing itâs ok for Kia and Hyundai to ship with non operational seat belts because itâs cheaper than average cars.
Edit: Also Asus recently got hit with mandatory 20 years of security audit by FTC for their consumer grade routers lax security. Sadly their security was orders of magnitude better than my cloud.
How fit the device is for home use is a personal opinion. Trying to make analogies between the My Cloud and cars is poor because cars are required (by US law) to have seat belts. There is no federal mandate on device security for consumer level NAS devices that Iâm aware of. Rather, like with the Asus case you bring up as some sort of proof, companies get into trouble when their marketing materials make claims the hardware or software cannot deliver. In the Asus case they promised to âprotect computers from any unauthorized access, hacking and virus attacks.â Further the FTC complaint indicates Asus was well aware of the issues and did not fix the issues âin a timely fashionâ, did not notify the customer of the issues, going so far as to claim no update available when updates were available.
Time will tell if the FTC goes after other companies like WD for potential security issue with their products. WD supposedly did address some prior security issues when they released the OS 3 firmware and revamped the WD2Go.com website (now MyCloud.com).
If you want to make a car comparison then the lower end My Clouds would be akin to cheap cars having only a driver side/passenger side airbag versus more expensive cars that have more safety features like curtain air bags, ABS, rear view camera, radar avoidance, etc (some of those advance safety features may be required currently or in the future on new car models).
Is home userâs data like photos and movies of your children less worth? If WD thinks so this is a shame. It is also a shame that a company of this size cannot afford better programmers. I am sure that they earn more money form home NAS and USB drives than from business NAS, and BTW I doubt that business drives are more stable as these are often less used and bugs are not discovered that fast.
My analogy still stands because weâre discussing what is needed and what can be fatal in its absence given the product context.
A hard drive that provides backdoor access around permissions set on shares is fatal like a safe that fails to lock.
The law hasnât caught up to a lot of things. It doesnât mean you can screw people over. Not sure what Bennor has to gain by rationalizing WDâs lax security stance.
Bennorâs essentially arguing that itâs ok if everyone here gets their data stolen from My Cloud because we didnât pay enough to get basic advertised feature like access control working. Heâs telling us our photos, videos, documents doesnât deserve any privacy at all. WTF?
@EdithKain,
Please detail exactly how the security hole can be exploited when one configures the USB Share for Private Access so others here can understand what you are talking about and can evaluate if such a hole is worthy of not using the My Cloud or so they can try to find ways to lock down their My Clouds.
Currently (on v04.04.02-105 firmware on my end) when the USB drive Share has been configured for private access a Windows user, when using Windows File Explorer, is prompted for a user name and password when that User access is set to No Access via the Dashboard.
I am not excusing WD in this instance just pointing out that some may have unrealistic expectations of the lower cost My Cloud devices that may lack security features or have security bugs that more expensive NAS units may not have. And some may have unrealistic expectations of how far a company should go in fixing bugs/issues above and beyond the advertised capabilities of the device. Iâd love for WD to fix all the issues Iâve complained about with the My Cloud but I am honest enough to understand that WD will generally only fix those issues that will help them sell more My Clouds and will generally only fix those issues that prevent base usage of the My Cloud. Sadly security is typically not high on a companies list of important things to fix when instead they can add a flashy new user interface.
Will the security with all its bugs on the entry level My Cloudâs prevent a determined hacker? No. Will the current security implemented on the My Cloud even with its bugs prevent casual intrusions by Joe Six Pack? Probably yes. Could the My Cloud security and those bugs in security be improved? Of course, but obviously WD has their own timetable and punch list on fixing firmware issues. Does that include fixing various security issues? Only WD knows, and theyâll probably never tell us users. Does WD need better coders? Yes, as each time firmware is release, at least for as long as Iâve been using a WD My Cloud, there always seems to be one past bug that is fixed and a new bug introduced.
I think a better analogy might be with a carâs anti-theft measures, rather than its safety-of-life features. Safes donât provide safety-of-life features; you will not die if a safe is cracked (not fatal).
I donât think he has anything to gain, nor is he trying to gain anything. Heâs just telling things as they are; itâs an imperfect product. Either get your money back, or accept it for what it is. Tell your friends never to buy a WD product.
In an ideal world, the product would be perfectly secure (impossible, of course).
In an ideal world, WD, when notified of the discovery of security vulnerabilities in their product, would make these vulnerabilities known to customers, so customers can decide what mitigating action to take until the problem is fixed. WD choose not to do this, despite our requests.
In an ideal world, WD would fix security vulnerabilities (and many other bugs). They seem either unwilling or unable to do so.
Thereâs only so much you can nag a company to do the right thing before you give up, and just accept its limitations. Knowing that the device may be vulnerable, I donât put anything on it that would cause anything other than minor embarrassment.
If you want to take on the mantle of security watchdog and try to persuade WD to do the right thing, youâre very welcome. Contact the FTC, and get them to investigate. IIRC, youâre in the âcomputer security worldâ; publicise what you think is WDâs laxity within this world. Maybe theyâll do something if their reputation is threatened.
Apart from making a few customers aware of security vulnerabilities, youâll have very little effect posting here; WD donât seem to read these forums, and rarely respond.
Exactly. The entry level single bay My Cloudâs are an imperfect product. The firmware/hardware on it is a series of compromises by WD. One of those compromises is security. (edit to add: Another compromise is buggy, badly coded, firmware.) WD could have chosen to use enterprise level security and authentication on the entry level My Cloud but they didnât. WD could have chosen to use a better system/method of backup than Smartware on the entry level My Cloud but they didnât.
Lets be honest here. The single bay My Cloud is what it is. One is paying basically $20 to $40 more for basic NAS capability for what is essentially a WD Red hard drive (at least the drive inside my unit was a Red). To expect serious enterprise level security for that $20 to $40 extra may be (at least to me) a bit unrealistic. Instead for that extra $20 to $40 one is paying for what is essentially a series of compromises with an NAS product. Iâm not sure if WD makes any claims or promises on the security capabilities of the entry level single bay My Cloud units themselves or on the security of remote access to those units. Instead we customers bring our own expectations on the security capabilities of the product and we bring own expectations on the manufacturers responsibility to either provide that security or fix holes in what security the manufacturer has provided. Iâve love to have configurable enterprise level security on the single bay My Cloud among other things, but I realize WD will never provide that or most other wishes I have, instead the security (even with its holes) is what it is, and Safepoint/Backup is what it is on the My Cloud.
There is no such thing as compromise on security, so please no excuses! It is WDâs decision at what price they sell the drives but it is total negligence to list features that are not properly implemented since years. We are talking about large quantities of sales since many years so please donât tell me that they do not make profit. At the same time it canât be that hard to find some better programmers, but outsourcing to someone who has no idea about programming is of course cheaper, and this affects all WD software. So either your product is secure, or at least you try to make it secure as fast as possible, or as in this case you just spit on customerâs privacy and data in favor of profit. The worst is advertising the product with features that donât work - and sure they advertise the features and document them in the manual. And in this case we donât talk about complex enterprise security, we talk about simple security mechanisms that are not implemented properly and nobody cares. It is a shame for a company like WD to sell this. Regarding the security / safepoint bugs: Did they even test the firmware before release? The biggest problem is that such drives are even exposed to the internet, I would not even think about doing this, but most people do it and believe that their data is secure until someone steals it. There are no excuses!
I would agree wholeheartedly. I do NOT have either My Cloud accessible from the net. I stopped that back on Firmware 3. something. It was one of the reasons I bought the MC in the first place, but with all the issues, firmware bugs, lack of information, and general WD attitude, I have chosen not to pursue WD anymore. Either by supporting their products or recommending them.
But as security goes, itâs best left as a local networked HDD. I look at it this way, as Bennor and cpt_paranoia stated. It is what it is ⊠and I might add that WD is writing their future NOW.
@Anguel, Donât get me wrong, despite what some may think I am NOT excusing WD or their actions here. Rather Iâm only pointing out the reality of the situation. WD like most other companies DO make compromises on security and features. And yes, there is such a thing as compromising on security. People do it ALL the time. Going back to the car example; people often choose not to wear a seatbelt or choose not to buy a car with more safety features. When one does so they are making a choice to compromise their safety and security. Both manufacturerâs and customers make these compromises all the time. The fact is that cost often drives these kinds of decisions on both the manufacturers side and the customers side when it comes to security or fixing exploits in that security.
Here is another example. How many people make the choice to buy a cheap or lower cost door lock from a big box home improvement store that can be easily picked or easily opened with a bump key versus a more expensive lock that is harder to pick or is resistant to bump keys?
The reality is there are levels of security. FTP versus SFTP, HTTP versus HTTPS. Cheep door locks versus more expensive. Door locks and no home security system versus door locks and a monitored home security and surveillance system. There are levels of security all around us and even on our own computers and web browsers. The entry level single bay My Clouds may have a lower level of security which can possible be exploitable than other NAS devices. That is not an excuse, that is how things are.
Often times how secure something is, is just an illusion. It is no different with the My Cloud. Many lower cost consumer devices provide the illusion of security rather than actual security.
Now are there ways to harden the security on the My Cloud? Yes, one could dump the OS 3 firmware and roll their own. One can disable Remote Access (which some of us here have). Should a customer have to do these things to gain actual security rather than the illusion of security? That is up for debate and discussion.
If one hasnât purchased a My Cloud but is thinking about doing so, and is worried about the level of security or exploitability of the existing My Cloud security, then they have some decisions to make including looking at other products. If one has already purchased the My Cloud and is worried about the exploitability of the security then one, for example, can either; stop using the My Cloud, contact WD support and inform them of the issue and or complain to WD or elsewhere on internet support forums which is what is happening in this thread and hope (pray with fingers crossed) that WD will see those complaints and get around to fixing those exploits, continue to use the My Cloud and live with the security and its potential exploits, or find ways to fix those potential security exploits themselves.
