Huge error security to all devices

Hello,

I think this hard drive has a huge security flaw. If I place my Mycloud HDD anywhere else accessible (physically), as easy as someone to come and reset the device for 4 seconds so that the password is reset as indicated in the manuals and can enter all my Folders. Anyone, can reset the device and then go to wdmycloud.local and display all visible folders for any user.

Is this really true or do you do it for some reason? One solution would be by sending an email to accept the reset or not the device, but this means that anyone who has tangible access to the physical device, can access all my data at least to the administrator account to access Total to the device, which I find a huge security error.

I find that my data is not secure with this error. I have asked support and they tell me that they are looking at this error, but ā€¦ how can they sell a device with this bug? I want to say that this fault = have any free Mycloud without password (Even if you have password ā€¦)

Very bad for WD ā€¦

Itā€™s a consumer device, intended for home use.

Donā€™t trust people not to fiddle with your mycloud? Donā€™t let them in your home.

Yes, it can be stolen in a burglary, but then so can your PC, memory cards, hard disk drives, etc. Do you have them all encrypted?

1 Like

Hello,

This is not a solution, I live in a shared apartment. You can imagine that the data centers of Google, Facebook ā€¦ do not have their servers password protected.
What if enter thief in your house? Can you have all your personal photos? Can you have all the intimate data of yours? Personal videos? Documents sensible? Invoice?

To me it does not seem logical to me, there are many solutions to protect this, by means of an email to recover password (it is cloud = has internet connection).
This does not comply with the data protection law.

:confused:

Other thing that I think, if this happened.
Why does the hard disk have shared folder permissions? If everyone can actually access with this that I say, the permissions is useless !!!

P.D: Yes, IĀ“ve all files protected by password. In Mac is very easy => https://support.apple.com/kb/PH22246

It is not a solution, for you. For others there is no need for such security on a low cost network attached storage device which is what the single bay/single drive My Cloud units are. One could put the My Cloud into a locked cage or safe that supports network equipment.

What country do you live in where you have ā€œdata protection lawā€?

Bottom line is one can complain about the lack of security on the My Cloud all they want, the single bay My Cloud is what it is (and what it was designed to be). An entry level NAS with limited remote access capabilities. If you need enterprise level security then either look elsewhere at more expensive NAS units or roll your own firmware (or replace the My Cloud firmware) that has the security features you need.

What one CAN do is use third party file encryption and encrypt their files before copying them to the My Cloud. This way a device reset wonā€™t affect the encryption of the files.

Did you read my post? I raised that exact issue.

If you live in a shared apartment, what about all the other things you have to trust your flatmates with; money, personal items, papers, passport, etc, etc. The mycloud is no different.

If you want to protect it from physical access, put in in a locked container. If you need it to be encrypted then you didnā€™t think carefully enough about what you needed, or research what you bought.

Utter nonsense. Data protection is about what YOU store, and how you manage access to it. Generally, other peopleā€™s personal information. The MyCloud alone would probably not be suitable to meet the requirementā€™s of the UKā€™s Data Protection Act, but, as stated, itā€™s a consumer device, not an enterprise device. Data Protection is implemented by IT, physical and procedural access mechanisms.

For the price that Mycloud has, I think it must have it. Also, I think itā€™s not difficult because it can be fixed by software.
I again say that this overrides that the device has folder permissions, it is not logical, is not it?
Maybe, Iā€™ve been wrong product, but itā€™s good that people who think to buy it know that this option happens in them :frowning:


All countries of the European Union, for example, this law:
http://ec.europa.eu/justice/data-protection/

I complain, because as I say is easy to fix, and that should have at least. I do not find it difficult to fix this.
Youā€™re right that you should install other software to encrypt my data. Could you recommend some?

Thank you.

I understand what you tell me, but no one is safe from thieves.
Maybe I was wrong to buy this drive, my friend, but I also think itā€™s not difficult to fix software with a firmware update.

A greeting.

I canā€™t provide firmware upgrades. I donā€™t work for WD. This is a user forum.

Try posting your suggestions here:

https://community.wd.com/c/personal-cloud-storage/cloud-ideas

1 Like

Have you actually read that? If you have,you didnā€™t understand it.

BTW, this is a USER forum, not WD Support.

I kind if like not having a password on my WD NAS, it just makes it easier to access. All the data on my NAS is media files that are easily replaced, because the data is on backup drives. That said, it would be nice that a password be necessary to reboot/reset the NAS for people like yourself who do not want their device reset without authorizationā€¦

It appears, if I understand what I read, that law is for businesses; not necessarily for home users and their personal or portable hard hard drives/storage devices. The single bay My Cloud is not designed for a business environment, even though many may buy the device and use it in a business environment

This subforum is mostly a user to user support forum. We are not WD employees or paid support personal. WD support has previously indicated in another discussion why they included a reset that removes all password protection on the single bay My Cloud consumer grade device. See the following thread discussion:

https://community.wd.com/t/security-flaw-on-mycloud/187584/16

You can suggest WD do something about it in the Cloud Ideas subforum, but donā€™t hold your breath that theyā€™ll actually implement your suggestion(s).

https://community.wd.com/c/personal-cloud-storage/cloud-ideas

Thank you friend! =)

I would want to say other law of my country. Really, only there are that think that there are files (like your
Clinical history, health tests, invoices, bank movements ā€¦) that itĀ“s normal that I want to protect.

Congratulations friend, this is what I think I should have. I could choose a password for when I can reset the device, mycloud ask for a password. This is very logical. I do not say that it is mandatory for all users, but at least, it offers like option more. :slight_smile:
Thatā€™s a great solution if WD puts it on.

1 Like

I understand that this is not for WD personal. I asked a few days ago by technical support to them, although they only answered that they were working but without giving me a definitive solution or to know if this they are going to fix it in next versions.
I ask here, because I wanted to be sure that there is only this way to other users, in addition, to know if I am the only user to whom (rarely) I am concerned about this.
At least, if any new user who wants to buy a unit, can read this topic and know BEFORE buying.

A greeting and thanks to all.

Well, protect them, then. Store them in an air-gapped device, encrypted, and physically protected.

Donā€™t store them on an unencrypted device that is physically unprotected, and available online.

Data protection requires an understanding of the system vulnerabilities, and requires security measures to be put in place to counter those vulnerabilities. Itā€™s up to the user to decide where data should be stored, and what security measures are required to protect that data. It is not the responsibility of data storage manufacturers to analyse the security requirements of all users, and provide a product that meets all security needs; that would be ridiculous (and DPA is trivial in comparison with some security requirements).

It is the responsibility of the data holder to ensure their storage and security measures are suitable. Thatā€™s you. Do the ā€˜jobā€™ properly.

1 Like

I understand you, you are right, I am responsible, for this, I want this unit to have that option, I still think it is a security error.
The only thing I did not know for sure is that it was, maybe I thought there was another option, so I asked you.
If this device is to save data (it is one of its functions), it seems logical that I keep the data securely, and in all jobs, an administrator, has full control, but in this case, the administrator can have the same Role than a normal user, because the normal user whenever he wants, can take control of the unit.
Also, this causes different permissions not to work on the drive.
First, the drive should ask if the user wants a password to reset, second, how difficult is it to set a password to reset the drive by the WD manufacturer? Because I think it is not difficult, if the administrator does not know the password, then, delete the files, this is a sure method.

Iā€™ll think of other methods(buy other system more security that It have this feature), but I do not like it at all, ever I would WD.

But I appreciate your opinions.

A greeting.

If one is looking for volume encryption on the single bay/single drive My Cloud unit then they are looking at the wrong My Cloud model. The single bay My Cloud unit is the entry level consumer based network attached storage device. It is NOT intended nor marketed (AFAIK) towards businesses where there may be the need for additional security.

People try to go cheap and buy the single bay My Cloud unit thinking, or assuming, it has the features/options of the more expensive multi bay My Cloud units. It doesnā€™t.

WD has a product feature matrix on their Support site that lists which units have which features:

https://support.wdc.com/knowledgebase/answer.aspx?ID=11425

Currently volume encryption is only supported on the following multi bay models:
PR4100
PR2100
DL4100
DL2100
EX4100
EX2100
EX4
EX2 Ultra
EX2

those models that support volume encryption, does the admin password also can be reset by just pressing 4s / 40s button? and after that can access all the data in disk?