My ISP reported an issue with My Cloud

Yes, we agree with you… We’re just customers, too.

The UPnP disable is just for router control via UPnP. This prevents programs opening up holes in the firewall.

We’re not talking about preventing the carriage of UPnP traffic over the router (e.g. for media streaming); I have UPnP control turned off, but I can still stream media around my network.

But you may need to have UPnP control of your router for legitimate reasons.

Revvv000 wrote:

I understand where you are coming but there is not a security breach on my network. Only My Cloud device is vulnerable.

Disabling UpNP is not an option since I use it for other things. 

My Cloud advertise I can access my data from anywhere and that’s why you pay a lot more for their device. If I wanted to store something locally I would buy something cheaper and better than My Cloud.

I agree with you … but as cpt_paranoia said, we are customers just like you. Also when I mentioned both of my My Clouds are offline, I meant “Cloud Access” is disabled … everything on the LAN is active just no Internet activity … sorry for the misunderstanding.

Also, like you, I have to have UPnP enabled for other functionalities.

We can not place any preasure on WD to fix anything, nor are they offering any information as to when a fix will be available, if ever. Compared to other NAS manufacturers and their actions with firmware fixes, it appears that WD is “in over their head” on the My Cloud.

1 Like

Revvv000 wrote:

I understand where you are coming but there is not a security breach on my network. Only My Cloud device is vulnerable.

Disabling UpNP is not an option since I use it for other things. 

My Cloud advertise I can access my data from anywhere and that’s why you pay a lot more for their device. If I wanted to store something locally I would buy something cheaper and better than My Cloud.

If My Cloud is active on your network and you access MC remotely then your network is VULNERABLE to security breaches.Think of this similarily to a chain whose links are designed to pull 1000 tons and you insert a new link that was contructed with a weaker steel composition that will only pull 800 tons. It really doesn’t matter how strong the other links are because now the entire chain can only pull 800 tons.

Using MC internally on your private lan will not result in the same vulnerabilities as having MC data available on the internet.

Pete I understand but what iI mean is my network is vulnerable only because of My Cloud :slight_smile:

and again if I wanted to store something locally only (MY LAN) than there are 100k options better than my cloud. 

WD cant just tell us “disable MC data from the internet and you are good”.

Anyway I don’t expect anything from WD but I’ll be careful next time before buying.

Revvv000 wrote:

Pete I understand but what iI mean is my network is vulnerable only because of My Cloud :slight_smile:

and again if I wanted to store something locally only (MY LAN) than there are 100k options better than my cloud. 

WD cant just tell us “disable MC data from the internet and you are good”.

Anyway I don’t expect anything from WD but I’ll be careful next time before buying.

Actually WD did not tell us to “disable MC data from the internet and you are good”, they haven’t admitted there is a security issue at all. These suggestions are from the community of users.

But you have certainly “Hit the Nail on the Head” about being very careful about buying, and may I add “recommending”, WD products. I have never spent this much time on any product, operating system, or device as I have with the WD My Cloud. Basically I over spent on a WD Red HDD that I wouldn’t have bought in the first place. Maybe someone … someplace … with passion from WD is listening and taking heart of the matter.

2 Likes

WD cant just tell us “disable MC data from the internet and you are good”.

As SectorGZ says, it’s even worse than that: WD have said nothing.  They’ve not publicly acknowledged the security vulnerabilities, and they’ve not made any statement about the timeframe for a fix.

We’ve chosen to take our devices offline to avoid the known security vulnerabilities.

Maybe someone … someplace … with passion from WD is listening and taking heart of the matter.

Look: a Staff member!

http://community.wd.com/t5/WD-My-Cloud/Cannot-Access-Dashboard-at-http-wdmycloud/m-p/867460#M32778

Hello all,

We have passed this along to support.

2 Likes

Thank you ERmorel. With all do respect this statement “We have passed this along to support” really doesn’t mean much. This forum is full of those and nothing gets accomplished.

I know you are doing your job and it is not you that is responsible to fix the My Cloud or address its short comings. But having a device that is advertised to be a “Cloud” with access from anywhere and then have to off “Cloud Access” to keep from getting hacked is not acceptable. This security breach has been known for a long time.

Are we waiting for Debian “wheezy” to fix the issue, not WD? All any of us are asking for is the acknowledgement of the issue and a time frame for a fix. I feel as paying customers that is the least we can expect. Our last firmware update was 23-Feb-15 and that was 6 weeks ago. I won’t even go into the issues that has caused.

What are we suppose to do?

Everyone,

We thank you for submitting your issues to both the community and WD Support. We have submitted the items reported to the appropriate teams within our organization.

Regards,

WD Customer Support and Services

Bill_s are there any updates on this issue? I’m still keeping my equipment offline, I like to add it to my network asap.

Please get a solution for this issue,

thanks

Nothing to report back, yet; though I’m sure we’re still looking into it.  Is the drive completely offline, or not just accessing the internet?

Hi all,

I also got contacted by my ISP regarding vulnerability on my device.  I have a case open with WD for the last 3 weeks to investigate:

Western Digital Support Case #: [Deleted]

However there is no timescale for a fix:

“In regards to your case, the request will be escalated to see if we have a target date for the firmware release.”

The advice in the meantime is “recommend you to disable the Cloud Feature of the WD My Cloud” (meaning the product is no longer fit for purpose)

I am surprised at this, especially given that fundamentally all that needs to be done is to disable SSL V3 and instead rely on TLS, but my assumption is that this has a knock-on effect to other services on the device. 

I manage a number of FTP servers comercially, when POODLE became known in October 2014, most FTP software vendors had a fix available within days.  Just saying…

Mine has been offline (internet access) for 3 months awaiting a fix. No one seems to understand why it is taking so long since this issues has been known for 6 months.

There is a fix posted on the forum, but that requires SSH’ing into the My Cloud and changing the firmware. This, in turn, could void your warranty so beware.

WD support came back to me with this update:

We were able to verify the information but unfortunately we do not currently have target date for the next WD Firmware release. Our engineering team is working on it and the next firmware version should be released soon.

I find it incomprehensible that an IT company can hope to do business like this.  When you buy an internet ready cloud storage device, the assumption is that you can access it from the internet.  I cannot understand why the engineering team is unable to give even a ballpark figure for how long to fix and test something (and SectorGZ says, this is hardly new).  My assumption is that no effort is being made in this area and that focus is only on new devices.  I can’t imagine that the device I buy to replace this is going to be from WD…

Last weekend I was visiting a friend, road trip, and he mentioned he just purchased a 4TB My Cloud and was having issues logging into the dashboard, I didn’t even knew he bought the device. I did a power on 40sec. reset and got into the dashboard to help him set the My Cloud up.

He is a HUGE music inficiato and purchased the device for primary storage and internet access for his devices and purposes. After explaining the security issues, turning off features (such as “Media Serving”) within his shares to make the My Cloud functional, etc., and showing him this forum with all the issues that are not being addressed he has decided to clear and return the My Cloud.

He was a big fan of WD as he owns many of their devices ( HDD’s, MyBooks, etc.) and is very disappointed that WD has taken such an approach to it’s customers. What could I say?

SectorGZ,

Could you please (as I have searched most everywhere and only really come up with poodle and heartbleed/shellshock) list the security vulnerabilities that is constantly being brought up about the device?

I only ask so that I can compare to my existing cloud and see where my device stands as I literally used it to replace my dropbox.

Thank you,

Pretty sure it is just Poodle, heartbleed and shellshock.  January firmware upgrade addressed Freak.

These are the ones that ACMA is asking Australian ISPs to cut off customers for having…

http://www.theregister.co.uk/2015/04/01/poodle_dogs_australian_consumer_modems/

@rauger

If that’s the case my v4 firmware shows not vulnerable for poodle and I believe all shellshock/heartbleed.

poodlescan.com will take your public IP and scan it.

I purposely scanned mine and first tested vulnerable then updated ssl and tested not vulnerable after that.

From ssh I tested bash by using the command

curl https://shellshocker.net/shellshock_test.sh | bash

Everything came back not vulnerable.

Is there anything else I’m missing?  Just want to make sure I’m secure enough.

I use the WD service https://www.wd2go.com which will redirect to https://mybooklive-device???.wd2go.com/Admin/webapp

What URL are you using for remote admin access to your device?

I don’t use wd2go.com, it never seems to want to work right for me.  Could be because of my hosts blocking file on all my pc’s/tablets/laptops.

If I have to admin my device I vpn into my home network (via ddwrt).  

To access the cloud device for files I use the wd app with port forwarding properly configured.

I could be mistaken in your question so apologies on that.  If you are talking about adding/removing a device from your wd2go account I don’t do that either thanks to my vpn and/or the activation codes for cloud access.

I do know that I went through extra steps and backwards a couple of times to get my scans to show not vulnerable.

If I am also missing anything feel free to let me know.  I plan on getting another 3tb mycloud just to play around with so that I can stop bringing down my main cloud whenever I want to try/test/change things.