I have disabled cloud access on my devices as a precaution for now until WD makes some detailed announcement.
I genuinely think that remote access via one’s public IP address instead of WD hosted centralized remote access is a better option. WD needs to make such an option available to people who know how to setup their routers with dynamic DNS.
i weighed the prospect of having access to the drive when not home vs. the prospect of an event like that which happened on the MBL.
turned off cloud access as well.
always had some ? marks lingering around about how securely implemented cloud access and 3rd party apps really are.
i’m always keeping an eye on my router’s firewall to make sure signatures are up to date, logging blocked events and also monitoring my network devices for malicious activity. been doing this for some years. but its getting to the point where i want to implement a second hardware firewall between the internet and my router.
i feel bad for those that lost their only copy of data. i guess it serves as a lesson to get some data redundancy built into their nas or network.
Short answer: ANY DEVICE OPEN TO THE INTERNET IS VULNERABLE.
That is a general statement, that applies to all devices from all manufacturers. Also applies to Military systems and public/private infrastructure.
The more systems you are hooked to. . .and the older your hardware/software is. . .the more vulnerable you are.
So in this case. . . . .WDLive firmware dates from 2015. So top notch security that is 7 years old. That’s about 42,642 years in people years
As a first step, I have turned off cloud access on my OS3 device.
As a second step, I have turned off my OS5 device.
The OS3 device is still accessible to the internet. . .via VPN to my home network. So it is has some level of protection; but I will likely start looking how to improve the security in a few months.
i couldnt help but say something in the OS 5 sub-forum, even if the platform is not yet affected - it is only a matter of time, imho.
somewhat helpless here knowing the device is serving my home via a device actively connected to an internet connection and meanwhile my ISP is ‘hands-off’ concerning keeping an active eye on malicious traffic to my public IP that they issued.
i guess, looking back some months, that odd failure i had with the wd blue-equipped MB i used to backup my NAS - was essentially nature slapping me in the face to wake up and get some better hardware and more robust backup scheme going.
although, even with that implemented now and working for me - those external USB devices can still be accessed by anyone who gains ssh root access on my NAS. scary !
next steps for me are probably going to be building another infrastructure inside my home network completely isolated from the internet but not easy to do given my home computers/devices will have access.
What I find most troubling is WD was aware of this security vulnerability (follow the links in original post), did nothing to rectify and is now hiding behind legacy product, last firmware update in 2015 or the more generic argument any internet connected device is susceptible. I don’t expect firms to forever keep shelling out firmware or feature additions but critical vulnerabilities need to be addressed. It’s really sad for those affected and I hope they can recover their data with or without WD’s help.
i would argue that you, as well as every other user that trusts a storage brand with their XX years of files/data/media (basically your digital life, pictures, videos, music, memories …) SHOULD EXPECT robust legacy support.
i have a 7 year old router that is still (although less often) pushed firmware updates by the manufacturer even after it’s been depreciated officially. in addition to that, the manufacturer still actively pushes signature updates to the firewall as frequently as any new router they sell with the same firewall capability as mine.
i think WD, at the very least, is going to get sued big time. combine that with countless people coming forward to speak up about failed hardware that eradicated their digital life savings - and what you will get is one company with a reputation worthy of the crappy directors that called the shots over the past decade.
How long is WD liable for software protection to defunct products? That is an interesting question.
I am not familiar with this product. . . .but we are talking last firmware 6 years ago? Does that mean last sold 8 years ago?? I mean. . . . .“forever” is a long time to support legacy. 36 minutes is a tad short. Hmmm. . . where is the balance?
And yes. . . . OS/3 is probably in the same category. They “EOL” OS3 last year. . . how long should I continue using that device? Especially considering that OS5 has raised enough questions . . .that I don’t see it as a viable alternative.
Times change. I used to have data on my PC’s. One rouge software update. . .reinforced why I never keep important files on the PC. Everything is on external drives.
Times change. I used to SWEAR by 2.5" HDD external drives. My latest, however, has gone SMR technology. . . and is utter crud. I only found out because I started investigating why it had poor performance. On to the SSD drives.
My next step will be to get the NAS (with decent software) behind a better VPN firewall.
Cutting the cord is nice in principle. . . .hard in practice if you don’t want to live like it’s 1992. I was travelling this (cars, planes, trains). - - you can do it maybe still do it without a cell phone; but that is just making it hard on yourself. You can’t do it at all without a credit card.
in my next life, the house i live in will have ethernet connections everywhere there are power outlets =)
it seems that, long gone are those days of solid integrated circuits that were not subject to firmware and software updates. don’t get me wrong here, evolution took over and that’s fine, except for the fact that it moves SO fast, that features ppl like are getting canned, new features or functions are the only way forward and the law of digital nature - that what was given can be taken away.
humans tend to think in terms of what they own, they own forever. that holds true for the physical world still. i still can hold onto my 15 yr old ipod 5 and apple hasn’t changed it since they abandoned it - and you know what ? it still works predictably and great (granted a few battery replacements over the years) … but nowadays, anything running on software – regretfully is not yours – it’s owned by the company that’s pushing their own software agenda to it when you agree to use and install updates.
i wish there were a set-in-stone piece of hardware that’s reliable and stores my data and i don’t have to evolve with it to the point that it becomes obsolete in 2 yrs. i would like the idea of my kids plugging my NAS into power some years later and it functions exactly as it does today.
So back to the topic at hand. . . . .I am inspired by this thread to rethink my network security.
Currently, I find OS5 too “noisy” and phoning home too often . … which is why my “main” NAS is on OS3. But I am not fool enough to think OS3 is really bullet proof. . . . I have turned off cloud functions; but I can still access the device remotely via a network VPN connection.
Maybe. . . I should rethink that. Are there ports I am unaware of open on the router to the NAS? If I am willing to sacrifice remote access. . . then I can;
Block internet traffic to the MAC address of the NAS (from the router). . . will that do it?
Put the NAS on a VLAN. In practical terms (since I am not buying a $500 router); that means putting the NAS on a separate dedicated $50 wifi Router that has no WAN connection. . . If I want to access the NAS; all I have to do is log onto the new network. . . .
But if I do want to remotely access the NAS, . . . I have essentially created the dreaded double-nat configuration that confounds WD servers. Certainly, I have added a layer of protection into the system Hmmm. . . if I have a double nat. . . is there a safe way to VPN into it (presuming I hook a LAN connection from the main network to the second network)/ / / more scotch required as I read
@NAS_user
sorry, don’t have enough in-depth knowledge with securely configuring a nas/router relationship with confidence that the access point is going to be robust enough to deter good hackers.
even if you succeeded and setup a very private, nearly invisible remote connection, you still have some risk of it being discovered, scoped out, eventually compromised. lets say this theory of mine is very unlikely and you proceed for some years to use the nas remotely without incident - you still know in the back of your mind that these devices regularly ping WD servers. that is another established conduit to the outside world … you cannot turn it off because the nas OS is written to phone home without the user being given a choice to turn that off in the dashboard.
if you do travel and you need access to your stuff, is a portable drive an option ? or an encrypted space somewhere on your carry on device ? even if you need a few TB of data on-hand, there are portable devices you can find that probably wont break your back lugging around.
for myself, when i travel i put data i need onboard my carry on device and just power down the network hardware that isnt necessary.
i dont know what type of data you need access to nor do i want to know, just may be better to drag it along with you and physically unplug your home nas from your home network when not needed if thats feasible.
physical disconnect from any internet connection is as safe as you’re going to get.
. . . .yes. . it’s not just pinging the WD servers. . . it’s pinging them and communicating your IP and port addresses (this is how it makes the HTTPS redirect happen) (this was why I abandoned OS/5)
. . . . .truth be told I do travel. Quite a lot, pre-pandemic
Historically, I have been one of those “take it with me” guys… . .because internet while travelling has been historically sketchy. Sure. . . today. . .in the US. . . . between wifi and phone hotspots. . you do ok. Internationally. . . .not so much. And certainly. . . no access on long haul flights.
So my historical answer was to bring a 4tb passport HDD with me. I could bring pretty much everything. Worked great. . . . except the newest 2.5" drives are now all SMR. . . . no bueno. So - - -prune a bunch of video. . . . (I mean alot); and I am now rocking a 1tb SSD.
Which is why I am thinking to cut the cord. . .because I can.
I am warming up to the idea of an independent router for the NAS box.
The VPN access to the network is a “nice to have”'; I use it sporadically - - -and that is factoring into my risk calc.
you have a good path forward it seems. dumping the SMR drive for an SSD is def. a wise choice. even if you had a CMR 2.5" disk, portability is somewhat risky, with a working hdd getting knocked into or dropping on the floor while travelling you risk damage to the data or the platter I guess – you don’t worry about that with an SSD.
i am also interested in researching how to further bury the NAS inside my network so perhaps another access point somewhere might be possible to do, but in the end, if devices inside the home network are connected to the NAS for content serving, there is still some risk.
i thought about setting up an entire server box or some sort but prefer to just get a hardware firewall and put it in between the NAS and the Router. Thinking in theory or intent but i don’t know technically, what’s involved with getting that fully working.
how can i kill off all communications between the NAS and WD servers ? if someone knows how to do that via SSH, please share. I would also want to be able to reverse that for when I do want to turn on cloud access and check for firmware updates.
Firmware updates on OS5 have been so frequent, it’s actually worrisome … they must have rushed it out the door to get extra points for coffee at dunkin donuts or something … ha
Is it as simple setting up a standard VPN connection to the outer network. . .then once that is established, opening a SECOND VPN connection to the inner network?
I wonder if the OpenVPN software can handle that. . .or would it’s logic explode?
OK. . .that gets me in. . . .but fundamentally. . . .I need a port open on the inner network. . . . and a port open on the outer network. If two ports are open. . .don’t I have a path for intrusion? Or is to harder for most automated threats to negotiate opening of two ports in succession? In other words, if the NAS opens port 49625 on the inner router that may be well and dandy. . .but I imagine port 49625 would be blocked by the outer router. . .and there is nothing that is going to map the VPN port (say. . .80443) to the NAS port on the inner router IP address.
Just don’t assign a gateway for your NAS and it wont have internet access. Its straight forward and the simplest thing to do with any kind of setup you have.
In the network settings, configure the static IP address and don’t give the default gateway or DNS servers. This will make the NAS accessible only on the LAN it is connected to.
further to this (removing DNS server information), what is an SQLdatabase used for on this NAS ?
i would turn it off if it is not needed for me to conduct my normal usage at home. is it a necessary feature for when cloud access is enabled ? only apps i have installed on the NAS are USB Backup and Twonky
In OS/3. . . . .If you CLICK on the static or DHCP buttons, you will be a mouse click or two away from a screen where you can enter the parameters. Suspect OS/5 works the same.
If you are on DHCP. . the gateway and IP addressed are assigned by your router. If you are on Static, you can assign the IP address as @Shreyas suggests.
Note: I use DHCP, and assign the IP address manually from the router. This way. . .if the NAS gets reset. . .or I do something crazy to the router (Like replace it). . . .I still retain access to the NAS.
I am going to test the “gateway” thing later today. I am wondering if that also compromises VPN access
