How secure is wd my cloud?


#1

I switched to NAS from Dropbox after hearing that dropbox is not very secure. I was thinking of switching to SpiderOak but then liked the idea of having my own files locally and access them directly. But now I see that the access goes through WD - does that mean they potentially have access to all our files? Is there end to end encryption?

Any answers would be much appreciated as this was the main reason I switched.


WD My Cloud service and how it works
Are data exchanges ciphered?
#2

Yeah, tehnically WD have access to all our files (Because WDMC connected to wd2go through OpenVPN. Its secure connection, but wd2go.com can see all your files.)

Need real “Security” - Build your own system (Source code for Kernel, bootloader and all system apps are available by GPL)


#3

^Curious, is that the case only with Remote Access activated? Or is that the case even with it off?


#4

>>>But now I see that the access goes through WD - does that mean they potentially have access to all our files? Is there end to end encryption?

I also liked the idea of controlling my own personal cloud. Since you mentioned security I suggest using My Cloud to locally store and serve your media files and share aaother documents within your home. I have disabled remote access on dashboard, blocked access at my router. I have full access using hard wire or wifi from anywhere in my house using iPhone, Mac, Windows, Linux.


#5

Think you guys got it all wrong. Wd2go is merely providing us with remote access service but they do not have access to our local data unlike those online cloud provider even if it’s through openvpn because they do not have our local shares login credentials. That’s where the java API prompts you for your share logins before the drive is being mapped to the remote PC. For the mobile apps, it uses hashed credentials generated from the WD Dashboard to allow you to access your shares via webdav.

Technically what they do is to provide us with a dns forwarding service that help us to login remotely without the need to remember our dynamic ip address : port. And if your home network is not able to do direct SSL connection, it will then use openvpn to tunnel the connection to your nas.

I do not represent WD but it doesn’t take a lot of effort to read their source codes.


#6

That’s what I wanted to hear!! Can anyone from WD confirm this?


#7

Thanks Nazar78 for the response. Much appreciated.

I’m conscientious about privacy rights and not a fan of dropbox (as per Snowden’s comments).

I hope more people will demand end to end encryption and not have the apathetic attitude of ‘I’ve nothing to hide’.


#8

WD does not have access to any of your files.  Wd2go is just a service that redirects you to your drive.  Its a direct connection if you are in port forwared mode, if you’re relayed, then the connection uses WD servers (openvpn) to redirect you to your drive.  


#9

OK, but given that they’re a man in the middle, if WD2GO is compromised, can’t a hacker capture your password (and then send you on to your own drive with you none the wiser)?

Also, see  http://www.techrepublic.com/article/western-digitals-extended-service-outage-is-a-rude-awakening-for-my-cloud-customers/ – even if it’s not insecure, it is a single point of failure.


#10

pickfork wrote:

Also, see  http://www.techrepublic.com/article/western-digitals-extended-service-outage-is-a-rude-awakening-for-my-cloud-customers/ – even if it’s not insecure, it is a single point of failure.

Yes using WD2Go, like many online services, introduces the possibility of a single point of failure, but the fact is that not everyone is capable, has the hardware (or software), or wants to spend the time setting up end to end VPN (even using OpenVPN) to access their WD My Cloud. WD2Go offers an easy solution that works (for the most part) for many people to access their WD My Cloud.  

On the general subject of how secure the WD My Cloud is, or that ANY entry level low cost consumer device is. The second you open up any device to access from the internet you introduce the possibility of it being hacked or accessed by others. The dirty lilttle secret which no one likes to talk about with the masses, pretty much any device that is not 100% “air gapped” is a security liability. Even “air gapped” devices could be vulnerable in the wrong hands. If you have truly sensitive data then either don’t put it on a device connected to a network, or invest in enterprise level devices and security and practice enterprise level security procedures. The masses lives under the illusion of security when it comes to their PC and internet connected devices.


#11

I’m hoping my comments/questions here actually belong in this thread…

My goal:  understanding what I need to do on my (WD MY CLOUD) NAS to make the default Shares secure.  Read on.

Follow my train of thinking here for my concerns with security :

1a. many (all?) of the default Shares on this NAS (eg, Time Machine backup, Smartware, I believe even my initial “admin” user’s home/personal share) are setup with ‘Public’ access

*and*

1b. by default, these same shares are setup with what I see as the public/guest access…ie, no real credentials required.

2.  If ‘remote access’ is indeed turned ‘on’ for my NAS…

Then, can somebody explain how my data on my NAS is indeed “secure”?  That is, couldn’t *somebody* (eg, Wd2go, possibly others on the internet???) access those default Shares?

I *could* see it being secured for a Share with Private access, or requiring credentials…but, otherwise, it’s not clear to me.

Oh…furthermore, with my original train of thinking, does it then make sense to make the T.M.-backup and Smartware shares “private” and requiring credentials?  (Can that be done once backups for these are already setup for those default Public/guest Shares?)

thanks

Ben


#12

bmoir wrote:

 

Then, can somebody explain how my data on my NAS is indeed “secure”?  That is, couldn’t *somebody* (eg, Wd2go, possibly others on the internet???) access those default Shares?

 

I *could* see it being secured for a Share with Private access, or requiring credentials…but, otherwise, it’s not clear to me.

 

Oh…furthermore, with my original train of thinking, does it then make sense to make the T.M.-backup and Smartware shares “private” and requiring credentials?  (Can that be done once backups for these are already setup for those default Public/guest Shares?) 

The answer to your questions is to simply set “Public Access” to “Off” on all Shares, then enable “User” access individually on each of the now Private Share folders. At first glance it appears one cannot change the “Public Access” setting on the Public Share folder. Thanks to a bug in the WD My Cloud Dashboard, one can change the “Public Access” setting by attempting to change the name of the Public Share through the Dashboard, which will generate an error. After closing the error message one can then change  the “Public Access” setting to “Off” on the Public Share.

Note however that resetting the WD My Cloud or upgrading the firmware may reset the “Public Access” setting for the Public Share folder back to “On”. Apparently the Public Share folder is utilized by the Twonky media server.

You can solve all of this by not putting any files in the Public Share in the first place like is recommended in the Twonky/DLNA FAQ thread at the top of this subforum.

As to your question about your NAS being secure. Nothing is 100% secure once connected to a local network and or if connected to the internet. Ultimately it is the user’s responsibility to secure the equipment on their local network and to set levels of access to that equipment if they can.

One further word of note. While you can configure all the Shares to require a username/password to access, keep in mind that if you enable “Media Serving” on any or all Private Shares, a DLNA client will be able to access and view any media in that Private Share. Disable “Media Serving” on any or all Private Shares you do not want accessed by DLNA clients. DLNA is a method for streaming media (video, audio, pictures) across the local network to DLNA enabled devices and software.


#13

Bennor wrote:


    • *-- snipped some --> As to your question about your NAS being secure. Nothing is 100% secure once connected to a local network and or if connected to the internet. Ultimately it is the user’s responsibility to secure the equipment on their local network and to set levels of access to that equipment if they can.

 

– snipped some –

Bennor,

Thanks for your clarifications.  They actually matched many of my assumptions based on what I had read earlier in this thread, and in other info I had seen.  They’ve given me the confidence I needed to proceed with some changes.  Thank you!

One of the reasons I was confused on this matter, is that any of the documentation I’d seen thus far, including the User Manual, basically indicated to actually use the default Guest / Public shares “as-is”…  That is, I did not see *any* mention of *setting* a Guest password, or alternatively (as you’ve described) essentially using Private shares that are user/pwd protected.

re: NAS being secure once on a local network or the internet…

Yes.  Totally understand this (and indeed part of the main reason for my questioning of it in the first place).  :wink:

So, I’m planning to convert the T.M-backup and Smartware shares from Public to Private.  Each share already has data backed up to it.  Do you foresee any hiccups with what should hopefully just be an easy toggle?  (I anticipate just toggle from Public to Private, and then re-connect from the “source” computer…and that’ll be it.  Sound about right?)

thanks

Ben


#14

bmoir wrote:

 

So, I’m planning to convert the T.M-backup and Smartware shares from Public to Private.  Each share already has data backed up to it.  Do you foresee any hiccups with what should hopefully just be an easy toggle?  (I anticipate just toggle from Public to Private, and then re-connect from the “source” computer…and that’ll be it.  Sound about right?)

Yes it is as easy as a toggle. Just click on Public Access to change it from On to Off. Then under User Access on that same screen select the permission level (No Acccess, Read Access, Full Access) for each individual user.

Where the hick-up may happen is with the PC or Mac that access that drive not popping up a username/password dialogue box after the permission changes have been made on the Share. Sometimes, at least with Windows OS, you may get a message about the folder/share being inaccessible due to not having the permission to access it after changing the Pubic Access option to Off on a Share. If the Share folder was mapped, remove the mapped folder then attempt to map it again and you should get a username/password entry box. Other times a simple restart of the computer fixes the issue.


#15

Bennor,

Thanks again for the clarifications, to give me the confidence to toggle these Public/guest shares to “more” Private…

I think I’ve got it setup correctly now, and seems to be working fine.  :slight_smile:

Very much appreciated.  Thank you!

Ben


#16

Are you suggesting a DNS can mitm you?