Big access control / security problems with safepoints

Was this fixed? Seems like having a safepoint gives everyone on the network back door access to bypass permissions set on the shares?

I had the same issue and revoked all permissions from the safepoint share but then safepoint disappeared after reboot. Maybe it needs public access to function? So I couldn’t get safepoint to work securely for long periods of time. This seems like a critical issue that warrants a Response from WD.

I bet some companies are storing payroll data on locked down WD drive… With safepoint attached it’s a ticking litigation time bomb.

A company that chooses a low cost CONSUMER device with limited security options as a backup drive to host sensitive information or data is making poor choices. The lower end, single bay My Cloud units are not designed for a business environment where there is a strong need for security and redundancy. The units are designed for the home user.

Generally if one sets the Share created when one inserts the USB drive to Private (i.e., Public Access to off) and then configures User Access to that Share, those Users granted access (Full Access or Read Only) should be prompted to enter a password to access that Share and its contents.

Edit: There is also a well discussed in this subforum a bug with the current firmware that duplicates the name of the USB Share which causes Safepoint to fail to find the USB Share. The solution is to delete the USB Share (after removing the USB drive) and rename the new Share that is created back to the old Share name used when the Safepoint was created.

You’d be surprised at how many small and mid sized businesses use consumer grade equipments.

At any rate, I suspect most small/mid sized businesses won’t care about IOPS, won’t have heavy enough load to make real time fault tolerance necessary, and probably don’t have to worry about corporate espionage or attacks from nation state. In short consumer grade equipment can provide a sensible ROI when it’s properly backed up.

Regardless of whether we’re talking about consumer or enterprise gear though, by default, My Cloud opens back door access to ACLed shares when safepoint is setup using a usb connected drive. This seems like a serious flaw. It’s akin to a smartphone that leaks all photos. I don’t think people will care if they’re using a consumer grade iPhone or a enterprise ready / fortified device. No one in their right mind will think this is ok regardless of the device rating. It’s a bad bug that has been in the firmware for atleast 8months since the original post went up.

1 Like

Beware, all MyCloud and MyBook “advanced” features are full of bugs. MyCloud security does not work and I also lost safepoints after firmware updates. I locked a MyBook drive and although I am 100% sure that the password was correct I could not unlock it on a different PC anymore, fortunately I had set auto-unlock on the first PC so I did not lose all data. Since than I don’t use these drives for anything serious anymore but for simple secondary data storage. Make sure you always have a second backup of that data! BTW, such bugs don’t have anything to do with consumer vs business, it is just showing gross negligence regarding cutomer’s data, especially regarding the fact how many of these units are sold.
And one more thing: Never expose MyCloud drives to the internet.

No I wouldn’t be surprised at how many businesses both large and small use cheap consumer equipment because they cannot afford or do not want to spend the amount of money they should to properly secure their data and establish proper backup procedures. See it all the time. Fact is the lower cost My Clouds are not geared for enterprise security/backup. They are geared at the average Joe home user who needs a basic NAS that has basic remote capabilities and have basic features including backup and media serving.

Are there security issues with the My Cloud? Yes. There are several other threads that go into those issues. Will WD address some or most of those security issues? Who knows, my wild totally speculative guess is probably not due to the nature (and low cost) of the device.

Currently one can configure the USB Share to Private and configure all Users for No Access to that Share. That will generally prevent someone from being able to access that Share for as long as it is connected to the My Cloud. Safepoint will still be able to backup the My Cloud to that now Private Share. Once that USB drive is removed from the My Cloud and attached to another PC the data generally will be accessible.

The issue of the disappearing Safepoint with the latest firmware has been discussed in several prior threads. For the issue of the USB Share being renamed and the My Cloud being unable to find the Safepoint on the USB Share, the solution/workaround is mentioned in the following post:

https://community.wd.com/t/new-release-firmware-release-04-04-02-105-1-27-2016/148441/68

Basically it involves removing the USB drive, deleting any remaining USB Shares from the Dashboard UI, then reattaching the USB drive and renaming the Share back to its original Share name, at which point the Safepoint backup should reappear within the Dashboard.

And yes the My Cloud firmware is full of bugs. And yes it seems like each firmware version fixes one set of bugs but also introduces a whole new set of bugs. Is it frustrating? Absolutely. For the average home user who needs a basic cheap/low cost NAS box with basic remote access and backup options for their photos/music/videos and other data, the My Cloud generally even with some of these bugs and security issues will work fine. For others who need more full featured and mature NAS it will not.

This device isn’t fit for home use either. The justification I keep hearing is akin to saying its ok for cheaper device manufacturer to be negligent with customer safety. It’s akin to arguing it’s ok for Kia and Hyundai to ship with non operational seat belts because it’s cheaper than average cars.

Edit: Also Asus recently got hit with mandatory 20 years of security audit by FTC for their consumer grade routers lax security. Sadly their security was orders of magnitude better than my cloud.

How fit the device is for home use is a personal opinion. Trying to make analogies between the My Cloud and cars is poor because cars are required (by US law) to have seat belts. There is no federal mandate on device security for consumer level NAS devices that I’m aware of. Rather, like with the Asus case you bring up as some sort of proof, companies get into trouble when their marketing materials make claims the hardware or software cannot deliver. In the Asus case they promised to “protect computers from any unauthorized access, hacking and virus attacks.” Further the FTC complaint indicates Asus was well aware of the issues and did not fix the issues “in a timely fashion”, did not notify the customer of the issues, going so far as to claim no update available when updates were available.

Time will tell if the FTC goes after other companies like WD for potential security issue with their products. WD supposedly did address some prior security issues when they released the OS 3 firmware and revamped the WD2Go.com website (now MyCloud.com).

If you want to make a car comparison then the lower end My Clouds would be akin to cheap cars having only a driver side/passenger side airbag versus more expensive cars that have more safety features like curtain air bags, ABS, rear view camera, radar avoidance, etc (some of those advance safety features may be required currently or in the future on new car models).

Is home user’s data like photos and movies of your children less worth? If WD thinks so this is a shame. It is also a shame that a company of this size cannot afford better programmers. I am sure that they earn more money form home NAS and USB drives than from business NAS, and BTW I doubt that business drives are more stable as these are often less used and bugs are not discovered that fast.

My analogy still stands because we’re discussing what is needed and what can be fatal in its absence given the product context.

A hard drive that provides backdoor access around permissions set on shares is fatal like a safe that fails to lock.

The law hasn’t caught up to a lot of things. It doesn’t mean you can screw people over. Not sure what Bennor has to gain by rationalizing WD’s lax security stance.

Bennor’s essentially arguing that it’s ok if everyone here gets their data stolen from My Cloud because we didn’t pay enough to get basic advertised feature like access control working. He’s telling us our photos, videos, documents doesn’t deserve any privacy at all. WTF?

@EdithKain,
Please detail exactly how the security hole can be exploited when one configures the USB Share for Private Access so others here can understand what you are talking about and can evaluate if such a hole is worthy of not using the My Cloud or so they can try to find ways to lock down their My Clouds.

Currently (on v04.04.02-105 firmware on my end) when the USB drive Share has been configured for private access a Windows user, when using Windows File Explorer, is prompted for a user name and password when that User access is set to No Access via the Dashboard.

I am not excusing WD in this instance just pointing out that some may have unrealistic expectations of the lower cost My Cloud devices that may lack security features or have security bugs that more expensive NAS units may not have. And some may have unrealistic expectations of how far a company should go in fixing bugs/issues above and beyond the advertised capabilities of the device. I’d love for WD to fix all the issues I’ve complained about with the My Cloud but I am honest enough to understand that WD will generally only fix those issues that will help them sell more My Clouds and will generally only fix those issues that prevent base usage of the My Cloud. Sadly security is typically not high on a companies list of important things to fix when instead they can add a flashy new user interface.

Will the security with all its bugs on the entry level My Cloud’s prevent a determined hacker? No. Will the current security implemented on the My Cloud even with its bugs prevent casual intrusions by Joe Six Pack? Probably yes. Could the My Cloud security and those bugs in security be improved? Of course, but obviously WD has their own timetable and punch list on fixing firmware issues. Does that include fixing various security issues? Only WD knows, and they’ll probably never tell us users. Does WD need better coders? Yes, as each time firmware is release, at least for as long as I’ve been using a WD My Cloud, there always seems to be one past bug that is fixed and a new bug introduced.

I think a better analogy might be with a car’s anti-theft measures, rather than its safety-of-life features. Safes don’t provide safety-of-life features; you will not die if a safe is cracked (not fatal).

I don’t think he has anything to gain, nor is he trying to gain anything. He’s just telling things as they are; it’s an imperfect product. Either get your money back, or accept it for what it is. Tell your friends never to buy a WD product.

In an ideal world, the product would be perfectly secure (impossible, of course).
In an ideal world, WD, when notified of the discovery of security vulnerabilities in their product, would make these vulnerabilities known to customers, so customers can decide what mitigating action to take until the problem is fixed. WD choose not to do this, despite our requests.
In an ideal world, WD would fix security vulnerabilities (and many other bugs). They seem either unwilling or unable to do so.

There’s only so much you can nag a company to do the right thing before you give up, and just accept its limitations. Knowing that the device may be vulnerable, I don’t put anything on it that would cause anything other than minor embarrassment.

If you want to take on the mantle of security watchdog and try to persuade WD to do the right thing, you’re very welcome. Contact the FTC, and get them to investigate. IIRC, you’re in the ‘computer security world’; publicise what you think is WD’s laxity within this world. Maybe they’ll do something if their reputation is threatened.

Apart from making a few customers aware of security vulnerabilities, you’ll have very little effect posting here; WD don’t seem to read these forums, and rarely respond.

Exactly. The entry level single bay My Cloud’s are an imperfect product. The firmware/hardware on it is a series of compromises by WD. One of those compromises is security. (edit to add: Another compromise is buggy, badly coded, firmware.) WD could have chosen to use enterprise level security and authentication on the entry level My Cloud but they didn’t. WD could have chosen to use a better system/method of backup than Smartware on the entry level My Cloud but they didn’t.

Lets be honest here. The single bay My Cloud is what it is. One is paying basically $20 to $40 more for basic NAS capability for what is essentially a WD Red hard drive (at least the drive inside my unit was a Red). To expect serious enterprise level security for that $20 to $40 extra may be (at least to me) a bit unrealistic. Instead for that extra $20 to $40 one is paying for what is essentially a series of compromises with an NAS product. I’m not sure if WD makes any claims or promises on the security capabilities of the entry level single bay My Cloud units themselves or on the security of remote access to those units. Instead we customers bring our own expectations on the security capabilities of the product and we bring own expectations on the manufacturers responsibility to either provide that security or fix holes in what security the manufacturer has provided. I’ve love to have configurable enterprise level security on the single bay My Cloud among other things, but I realize WD will never provide that or most other wishes I have, instead the security (even with its holes) is what it is, and Safepoint/Backup is what it is on the My Cloud.

There is no such thing as compromise on security, so please no excuses! It is WD’s decision at what price they sell the drives but it is total negligence to list features that are not properly implemented since years. We are talking about large quantities of sales since many years so please don’t tell me that they do not make profit. At the same time it can’t be that hard to find some better programmers, but outsourcing to someone who has no idea about programming is of course cheaper, and this affects all WD software. So either your product is secure, or at least you try to make it secure as fast as possible, or as in this case you just spit on customer’s privacy and data in favor of profit. The worst is advertising the product with features that don’t work - and sure they advertise the features and document them in the manual. And in this case we don’t talk about complex enterprise security, we talk about simple security mechanisms that are not implemented properly and nobody cares. It is a shame for a company like WD to sell this. Regarding the security / safepoint bugs: Did they even test the firmware before release? The biggest problem is that such drives are even exposed to the internet, I would not even think about doing this, but most people do it and believe that their data is secure until someone steals it. There are no excuses!

I would agree wholeheartedly. I do NOT have either My Cloud accessible from the net. I stopped that back on Firmware 3. something. It was one of the reasons I bought the MC in the first place, but with all the issues, firmware bugs, lack of information, and general WD attitude, I have chosen not to pursue WD anymore. Either by supporting their products or recommending them.

But as security goes, it’s best left as a local networked HDD. I look at it this way, as Bennor and cpt_paranoia stated. It is what it is … and I might add that WD is writing their future NOW.

@Anguel, Don’t get me wrong, despite what some may think I am NOT excusing WD or their actions here. Rather I’m only pointing out the reality of the situation. WD like most other companies DO make compromises on security and features. And yes, there is such a thing as compromising on security. People do it ALL the time. Going back to the car example; people often choose not to wear a seatbelt or choose not to buy a car with more safety features. When one does so they are making a choice to compromise their safety and security. Both manufacturer’s and customers make these compromises all the time. The fact is that cost often drives these kinds of decisions on both the manufacturers side and the customers side when it comes to security or fixing exploits in that security.

Here is another example. How many people make the choice to buy a cheap or lower cost door lock from a big box home improvement store that can be easily picked or easily opened with a bump key versus a more expensive lock that is harder to pick or is resistant to bump keys?

The reality is there are levels of security. FTP versus SFTP, HTTP versus HTTPS. Cheep door locks versus more expensive. Door locks and no home security system versus door locks and a monitored home security and surveillance system. There are levels of security all around us and even on our own computers and web browsers. The entry level single bay My Clouds may have a lower level of security which can possible be exploitable than other NAS devices. That is not an excuse, that is how things are.

Often times how secure something is, is just an illusion. It is no different with the My Cloud. Many lower cost consumer devices provide the illusion of security rather than actual security.

Now are there ways to harden the security on the My Cloud? Yes, one could dump the OS 3 firmware and roll their own. One can disable Remote Access (which some of us here have). Should a customer have to do these things to gain actual security rather than the illusion of security? That is up for debate and discussion.

If one hasn’t purchased a My Cloud but is thinking about doing so, and is worried about the level of security or exploitability of the existing My Cloud security, then they have some decisions to make including looking at other products. If one has already purchased the My Cloud and is worried about the exploitability of the security then one, for example, can either; stop using the My Cloud, contact WD support and inform them of the issue and or complain to WD or elsewhere on internet support forums which is what is happening in this thread and hope (pray with fingers crossed) that WD will see those complaints and get around to fixing those exploits, continue to use the My Cloud and live with the security and its potential exploits, or find ways to fix those potential security exploits themselves.

Of course there is a compromise on security. Any time you break an air gap between a computer system and the internet, you are compromising security.

There’s no such thing as a ‘perfectly secure system’. If you think there is, you don’t understand computer security.

All computer security is a compromise between absolute security, accessibility/function and cost.

Regarding your comments about development and testing, I concur; WD have done, and continue to do a poor job with this product.

Yeah the WD development and testing of the firmware is bad. Like the v2.x firmware not having a shutdown button even though its mentioned twice in the user manual. Don’t know if the latest v2x firmware released a day or two ago rectified that issue. Or the v4.x firmware bug that duplicates the USB share name causing Safepoint to fail. Or in the past when upgrading the v4.x firmware it locked certain Shares including the Public Share to read only. Like I said above they seem to fix one bug but introduce one more every firmware release.

It appears, at least with the current firmware on my single bay My Cloud that when the USB Share is set to Private and no one is granted access, that Windows File Explorer users are asked for a password to access that Share. Which was the initial complaint that kicked off this thread discussion.

where can i find the ideas board (provided link results in “Oops! That page doesn’t exist or is private”)? at least the private shares should be protected from public access!

The Cloud Ideas subforum…
https://community.wd.com/c/personal-cloud-storage/cloud-ideas