We have received reports from the ACMA’s Australian Internet Security
Initiative (AISI) that a machine accessing the Internet using your TPG
Service is causing unwanted traffic to be transmitted, such as spam
and viruses, or has some other detected vulnerability.
A summary of the last few complaints have been provided below:
It may be that your equipment has been compromised by a hacker, some
other malicious software has been installed onto your system, or
there is some other serious issue that requires your attention.
ETC. ETC…
I understand the device is not secure. Is WD working on this issue?
We have received reports from the ACMA’s Australian Internet Security
Initiative (AISI) that a machine accessing the Internet using your TPG
Service is causing unwanted traffic to be transmitted, such as spam
and viruses, or has some other detected vulnerability.
A summary of the last few complaints have been provided below:
It may be that your equipment has been compromised by a hacker, some
other malicious software has been installed onto your system, or
there is some other serious issue that requires your attention.
ETC. ETC…
I understand the device is not secure. Is WD working on this issue?
This security issue is known to WD. I have both of my My Clouds offline for several months now with no fix in sight, nor any acknowledgement from WD that there is a risk… As for Fox_exe’s response, it would require you to modify the firmware which would void your warranty. Fox_exe has done a tremendous amount of awesome work for My Cloud users in this forum, but just be aware of the warranty issues Revvv000.
I understand the device is not secure. Is WD working on this issue?
WD has provided a consumer product with some enterprise like capabilities. IMO the devil is certainly in the details, and many of these details are somewhat beyond the understanding scope of the majority of the intended audience.
I have taken a different approach than SectorGZ taking devices off line.
In my home My Cloud is ‘OFF OF THE INTERNET’
I have intentionally disabled: 1) My Cloud ‘cloud’ access; 2) UPnP on my router.
I have a wonderful single point backup system for 8 computing devices, a robust file sharing system compatible with iPhone, Mac Book Pro, Windows 7, & Linux. I suspect that when I enable media sharing it, too, will satisfy my needs.
Security and privacy is a shared responsibility, but ultimately the end user is responsible.
Security and privacy is a shared responsibility, but ultimately the end user is responsible.
But since remote access is an advertised feature of the product, and there are fixes available for the security holes, that require little effort on the part of WD (beyond building the new version into a firmware image and regression testing), they really ought to have been rolled out long ago.
I too have my MyCloud offline; cloud access disabled and UPnP disabled on my router.
But since remote access is an advertised feature of the product, and there are fixes available for the security holes, that require little effort on the part of WD (beyond building the new version into a firmware image and regression testing), they really ought to have been rolled out long ago.
Like most things that sound good to be true they probably aren’t.
IMO most consumers are not equipped to securely host there own internet accessible devices. My anecdotal experience supports this.
I had to do extensive searching discovering exactly how to disable UPnP on my “consumer” router I purchased from Verizon that enable their FiOS fibre access. When I called Actiontec, the manufacturer, they informed me that I had to contact Verizon for the ability to adjust UPnP because Verizon had requested that. The catch 22 here is that Verizon then deferred to the manufacturer.
For those folks who might be interested here are 2 hidden adjustments on an Actiontec router
I understand where you are coming but there is not a security breach on my network. Only My Cloud device is vulnerable.
Disabling UpNP is not an option since I use it for other things.
My Cloud advertise I can access my data from anywhere and that’s why you pay a lot more for their device. If I wanted to store something locally I would buy something cheaper and better than My Cloud.
Yes, we agree with you… We’re just customers, too.
The UPnP disable is just for router control via UPnP. This prevents programs opening up holes in the firewall.
We’re not talking about preventing the carriage of UPnP traffic over the router (e.g. for media streaming); I have UPnP control turned off, but I can still stream media around my network.
But you may need to have UPnP control of your router for legitimate reasons.
I understand where you are coming but there is not a security breach on my network. Only My Cloud device is vulnerable.
Disabling UpNP is not an option since I use it for other things.
My Cloud advertise I can access my data from anywhere and that’s why you pay a lot more for their device. If I wanted to store something locally I would buy something cheaper and better than My Cloud.
I agree with you … but as cpt_paranoia said, we are customers just like you. Also when I mentioned both of my My Clouds are offline, I meant “Cloud Access” is disabled … everything on the LAN is active just no Internet activity … sorry for the misunderstanding.
Also, like you, I have to have UPnP enabled for other functionalities.
We can not place any preasure on WD to fix anything, nor are they offering any information as to when a fix will be available, if ever. Compared to other NAS manufacturers and their actions with firmware fixes, it appears that WD is “in over their head” on the My Cloud.
I understand where you are coming but there is not a security breach on my network. Only My Cloud device is vulnerable.
Disabling UpNP is not an option since I use it for other things.
My Cloud advertise I can access my data from anywhere and that’s why you pay a lot more for their device. If I wanted to store something locally I would buy something cheaper and better than My Cloud.
If My Cloud is active on your network and you access MC remotely then your network is VULNERABLE to security breaches.Think of this similarily to a chain whose links are designed to pull 1000 tons and you insert a new link that was contructed with a weaker steel composition that will only pull 800 tons. It really doesn’t matter how strong the other links are because now the entire chain can only pull 800 tons.
Using MC internally on your private lan will not result in the same vulnerabilities as having MC data available on the internet.
Pete I understand but what iI mean is my network is vulnerable only because of My Cloud
and again if I wanted to store something locally only (MY LAN) than there are 100k options better than my cloud.
WD cant just tell us “disable MC data from the internet and you are good”.
Anyway I don’t expect anything from WD but I’ll be careful next time before buying.
Actually WD did not tell us to “disable MC data from the internet and you are good”, they haven’t admitted there is a security issue at all. These suggestions are from the community of users.
But you have certainly “Hit the Nail on the Head” about being very careful about buying, and may I add “recommending”, WD products. I have never spent this much time on any product, operating system, or device as I have with the WD My Cloud. Basically I over spent on a WD Red HDD that I wouldn’t have bought in the first place. Maybe someone … someplace … with passion from WD is listening and taking heart of the matter.
WD cant just tell us “disable MC data from the internet and you are good”.
As SectorGZ says, it’s even worse than that: WD have said nothing. They’ve not publicly acknowledged the security vulnerabilities, and they’ve not made any statement about the timeframe for a fix.
We’ve chosen to take our devices offline to avoid the known security vulnerabilities.
Maybe someone … someplace … with passion from WD is listening and taking heart of the matter.
Thank you ERmorel. With all do respect this statement “We have passed this along to support” really doesn’t mean much. This forum is full of those and nothing gets accomplished.
I know you are doing your job and it is not you that is responsible to fix the My Cloud or address its short comings. But having a device that is advertised to be a “Cloud” with access from anywhere and then have to off “Cloud Access” to keep from getting hacked is not acceptable. This security breach has been known for a long time.
Are we waiting for Debian “wheezy” to fix the issue, not WD? All any of us are asking for is the acknowledgement of the issue and a time frame for a fix. I feel as paying customers that is the least we can expect. Our last firmware update was 23-Feb-15 and that was 6 weeks ago. I won’t even go into the issues that has caused.
We thank you for submitting your issues to both the community and WD Support. We have submitted the items reported to the appropriate teams within our organization.
I also got contacted by my ISP regarding vulnerability on my device. I have a case open with WD for the last 3 weeks to investigate:
Western Digital Support Case #: [Deleted]
However there is no timescale for a fix:
“In regards to your case, the request will be escalated to see if we have a target date for the firmware release.”
The advice in the meantime is “recommend you to disable the Cloud Feature of the WD My Cloud” (meaning the product is no longer fit for purpose)
I am surprised at this, especially given that fundamentally all that needs to be done is to disable SSL V3 and instead rely on TLS, but my assumption is that this has a knock-on effect to other services on the device.
I manage a number of FTP servers comercially, when POODLE became known in October 2014, most FTP software vendors had a fix available within days. Just saying…