Do not buy!

Dont buy any my cloud product from WD they dobt care about security updates.

There are several Bugs in the Software of all Myclouds. 85 bugs detected in earlie 2017 and some new/same once detected in june and WD gets informed about them. WD answered with give us 90 Days time to fix them. Now in 2018 they are still not fixed additionaly we have the problem that spectre and meltdown are affecting our Myclouds because they have Intel CPUs inside. Also for PC and Laptops Windows/Linus and Apple are providing updates to fix it BUT for our Myclouds WD has to provide updates but like all the other problems which are not solved I would say they will never fix them.
Pls conntect the support to put some pressure on their shoulders and spread this news in the internet. Make it public to force this company. They are not willing to keep your datas safe as long as they make still money. Thats atleast what i think about them because they dont fix buggs from beginning 2017.
Here some link:
https://www.exploitee.rs/index.php/Western_Digital_MyCloud

Greetings Beni

1 Like

@Burton1224,
Apparently WD has (reportedly) fixed some or all of the vulns mentioned in the Exploitee report when they issued the latest firmware release in November of last year:

If one had used the forum search feature, magnifying glass icon upper right, they’d find that there are already several past discussions on the Exploitee vulns and WD’s foot dragging in issung a fix.


they havent m8. they released it 3.january the fixes are from last year

I was thinking, what about the SSH service of the My Cloud? The My Cloud I have is 24/7 connected to the internet and only SSH service is available. Upnp is off. I have read SSH was vunerable for an attack in 2016. Is it still?

Your initial post included web links to two different sets of vulnerabilities. The Exploitee discussion is from 3/03/2017 and is apparently a different vulnerability then the vulnerability discussed by GulfTech (if I understand things right). Supposedly WD has dealt with the Exploitee mentioned vulnerability with the November firmware release, but the GulfTech vulnerability is new and hasn’t been patched yet.

Is your My Cloud connected to a router that is then connected to the Internet? If so then your router is supposed to block inbound access to your My Cloud including the SSH ports UNLESS you configure that router to port forward the SSH ports to the My Cloud.

Generally if one disables remote access on the My Cloud Dashboard their My Cloud should be protected from internet broadband hacks by the local network router’s firewall. Typically one would then need to have access to the local network (via WiFi or Ethernet) to attack the My Cloud’s security vulnerabilities. Network security is a multi step process. From ensuring devices on the local network are secure to ensuring the network router is secure to ensuring no rouge devices access via wireless or wired network connections.

And this two are still not compeltly solved and with spectre and melt are two new security problems on the marked forsure not the fault of WD but they have to provide a fix for their products otherwise the security is not given.

So… since I’ve forwarded port 22 to my WD Mycloud, my system is vunerable I understand. A shame since I use it as a remote backup with rsync over ssh :’(

WD’s code monkeys typically takes a long time (multiple months) to issue firmware updates. And they will most likely do so with these latest vulnerability reports. My wild assumption is WD typically has a project timeline for firmware updates and fixes and will have to update that project timeline with these latest vulnerabilities to keep things on that timeline. As such we probably won’t see a fix until the next scheduled firmware release that typically run upwards of four to six (or more) months apart. Currently the only known workaround to try and prevent these vulnerabilities from being accessed is to block/turn off remote access to the My Cloud. Of course this does take away one of the main selling points/features of the My Cloud.

However, some of us, me included, generally do not use remote access and have it turned off. As such one would typically need local network access to the My Cloud to exploit the various unpatched vulnerabilities.

On a side note and not a defense of WD. Security vulnerabilities are nothing new. Most if not all manufacturer’s network devices have them from time to time. The key is to patch them, especially the severe ones, in a timely fashion.

FWIW you don’t need to care about spectre and meltdown on the WD devices. At least meltdown is a local exploit which mostly affects multi-user environments where users with low privileges working on the systems get the possibility to access data they are not allowed to access.

It looks like now is the time to sale Western Digital’s shares!!!
R.I.P. WD !!!

Meltdown can be abused also from outside m8

Nope, it can’t be abused directly from remote on a WD device as you need to run code locally by e.g. abusing another vulnerability or by getting shell access (meltdown) or via e.g. JavaScript in a Browser (spectre).

So there is no direct attack vector for both vulns on a WD device, especially not from remote.

As long as you WD device is connected to the internet is everything posible even if you switched internet access of in the options.

I think we should stay with the facts. There are indeed unfixed vulnerabilities on WD devices as currently discussed in various threads. But Spectre and Meltdown are ones which can’t be exploited remotely without abusing other vulnerabilities.

Well maybe there is a misunderstanding…I was thinking about if someone hacks your pc he can use it remotetly. Or if he/she has access to your pc over a network. But your thoughts have been if everything is alright and security is perfect.

We’re talking about WD devices here, not about any PCs. And even if an attacker is able to get to your local network or hack a PC in your network he can’t abuse Meltdown or Spectre directly against the WD device.

I would strongly suggest you to read into such topics first before throwing assumptions around.

If someone hacks your WiFi (or wired Ethernet), or hacks your PC or other local network device other than the My Cloud, then your entire local network and all devices on it are potentially compromised/vulnerable, not just the My Cloud.

Once a hacker has control of your local PC there are a number of attack vectors they could use that do not involve the various security vulnerabilities mentioned both here and in other discussions in this subforum.

If your local computer is compromised, the hacker has potential access to any Private Share on the My Cloud if one has mapped drives or has logged into that Private Share with that compromised computer or device. Further, if one uses SSH programs like Putty or WinSCP (or others) on that compromised PC to access the My Cloud, the hacker could potentially, if they have full remote control access to that compromised PC, access the My Cloud using SSH bypassing the My Cloud Dashboard entirely to hack the My Cloud at the firmware level.

If one disabled remote access on the My Cloud there is no clear way to directly attack that My Cloud device directly from outside the internet without compromising another device/computer on the local network first. One’s local network router is supposed to firewall that My Cloud from the internet at large and prevent access directly to the My Cloud device.

Just because one patches this vulnerability doesn’t mean their My Cloud is now 100% safe from being hacked. Good network security is a multi layer, multi tiered approach.

2 Likes

I read enought about it. Just as an information Networks are easy to hack specialy WLAN if someone is using bluetooth its the easiest. Mayve not for you but for other people…Spectre and Meltdown are CPU related Bugs. Which are not even safe after windows updates as soon as someone cracked the windowsuodate he/she will be able to use the bugs again. And as soon as you have access to the pc which is used for WD Mycloud access its just a short time until they get your datas but its aslo possible to go directly against the Mycloud dont even have to hack the PCs

I think you still don’t understand that i’m not talking about all the stuff / assumptions you’re currently making here (for all that just read the post of @Bennor above).

There is one thing we can be sure without making blind assumptions: There are no remote attack vectors for WD devices for the Meltdown and Spectre vulns as pointed out multiple times.