I’ve been having more issues of unable to play any media files and issue connecting to my cloud on cellular network.
I’ve decided to reboot the device by pressing the reset pinhole button to remedy the problem.
When this occurs, I can login to my local mycloud device without needing the admin password.
Here is how I reproduced it.
navigate to mycloud admin page using any browser.
goto Users → admin and make sure the password is set.
press the pinhole on the back of the device and wait for the device to reboot
navigate to mycloud admin page using any browser and enter admin as the device username and press Login button without entering password. ===>>> flaw!
goto Users->admin and observe that the password is now set to OFF!
It is NOT a security flaw. A reset allows you to gain access to the My Cloud if you have forgotten the Administrator Password and or to reset the My Cloud to default values.
Stop and think about it for a second. What would you do without some sort of reset button if you could no longer log into the My Cloud Dashboard as the administrator, say because you forgot the password or someone else (like a kid) changed it? How would you reset the admin password if that reset button wasn’t available and SSH access wasn’t enabled and available?
lol I see your point how you can see this as a “feature” and not a flaw if this device did NOT contain any DATA.
For example, if this is a router and user forgot the admin password and wanted to reset the device to factory default since router does NOT contain any user data.
However, MyCloud is a device that contains DATA that may be confidential. Consider the situation where this device is installed in an office environment where each user has access to their own share and a manager has files that should not be seen by other employees. Any employee could reset the device and gain full access to the entire contents. Manager has no way of knowing the situation until he/she tries to login; only to realize that the admin password is not required. MyCloud does not provide any security for this type of situation.
Consider another situation. MyCloud device is stolen by someone. They now have full access to the entire contents. It has no security against this type of situation.
You mentioned that this is a feature to recover the forgotten password? MyCloud’s implementation of resetting forgotten password is not a feature. Once a device is fully configured, it is the responsibility of the end users to remember the password. You say your child may have reset the password? Why and how does a child gain access to the device? It is the parents responsibility to maintain the password. If you buy a computer and fully configures it and then you forget the password later on, who’s fault is it? Does the computer provide the backdoor for the forgotten password? Absolutely not!
Do you remember the case where Apple refused to give feds the password for the terrorists iPhones? That was max of 128GB of data where as MyCloud device I have is 8TB of data. What if Apple had a way to reset the password by pressing some button to give the user full access to the iPhone? Would that be secure? Even if Apple did that, that would only give access to 1 person’s data whereas MyCloud is shared by multiple people and now compromising multiple people’s data.
Password recovery should have some kine of authentications to verify only then authorize the access. WD need to patch this.
What we have here is a HUGE security flaw. I can see a class-action lawsuit.
You’d better speak to WD then. We’re customers here, not WD employees.
That Hugh, again; he’s terrible at creating secure systems…
Good luck with that class action. Here are the points for the defence:
The password reset is clearly described in the User Manual. You did read the User Manual, didn’t you…?
The disk is not encrypted, just like most other hard drives. If you remove the drive from the case you can get access to the files. Same with a PC.
It is not advertised as an encrypted hard drive.
Computer security relies on electronic security (passwords, etc), physical security (preventing access to the reset button) and personal security (trust). If you’re serious about maintaining your data security, you need to take measures to protect against all three. The last is most difficult; WikiLeaks, Snowden etc.
This is a consumer device, not really intended for commercial or office use.
lol.
I know we are all customers… I was not implying that you represent WD.
HUGH lol… Yup he is terrible
You had a manual? Mine did not come with one.
Most hard disk can be easily encrypted
I agree that WD did not but the password and share implies that the device is secure and protected from other user accessing my files.
I agree but with modern open space environment, it is getting hard to physically secure anything but I do agree with you.
regardless of it being consumer vs. commercial, security is high priority and should be implemented correctly. iPhones are not commercial devices yet they take security seriously. Just hope WD did the same.
I think you misunderstand the intended target audience for the single bay My Cloud devices. They are intended for home use/personal use. If someone who values security in a business environment is buying a single bay My Cloud expecting to have enterprise level security then they chose very poorly.
Out of the box the single bay My Cloud does NOT have any password protection. It is up to the user to decide what if any password protection they want after they setup the device. Could have WD put a basic Administrator password like consumer level routers have out of the box? Sure but guess what, almost all consumer level routers can be reset and anyone can take 5 second to Google for the default out of the box password. Which means there is no effective security for out of the box consumer routers since the passwords can be easily discovered.
We are just users here. If you feel so strongly about this supposed “flaw” then contact WD directly. In the grand scheme of things what you think is a security flaw isn’t really a security flaw when compared to most other consumer grade electronics. Its a simple fact that basic security is often not a serious consideration for most consumer electronic devices. Partly due to the fact that having strong security on a device may mean frustration for the average Joe Six Pack home user of the My cloud who will get frustrated with it and buy end up buying a competitors device which isn’t so hard to use or access.
If one is so concerned about someone gaining access to their My Cloud to reset the device then they could hide or otherwise lock up the My Cloud unit so one would have trouble gaining physical access to it.
The chief long running security complaint some of us have with the My Cloud security is with the fact that one cannot currently set the default Public Share to Private without hacking the firmware via SSH. As such anyone who can access the My Cloud will always have access to at least one Share to which they could upload/download any content without inputting a username/password.
The single bay My Cloud is what it is. And it has its (many) faults. Some of which we have long complained about and which can sometimes be worked around. Feel free to make suggestions on improvements to the unit in the Cloud Ideas subforum.
Couple of additional comments. Because many consumer level NAS devices do not have on disc encryption and or do not encrypt the contents it is a trivial manor for someone to simply remove the hard drive from the NAS enclosure and install it to another machine and gain access to all the user data.
Same goes for the hard drive in one’s computer or laptop. Unless the user enabled encryption all that data can be hacked once someone gains physical access to the computer or who removes the hard drive from that computer. On Windows PC’s there is various software to pull (and possibly change) the Windows password without booting into Windows.
For ages even though computers had boot level passwords it was often a trivial manor of simply setting a jumper on the motherboard to erase that password and gain access to the PC or its BIOS. So what did computer makers do? Put locks on computer cases to make it harder to gain access to the motherboard or the internal hard drive.
Fact is that most home users do not take their security very seriously. Even when manufacturers do force security upon the end user that end user often either disables that security or uses weak/common passwords because its easier to use the product when they do so. Its amazing that so many simply use the password “admin” or “password” or “1234” simply because its so easy for them to remember.
Most consumer level NAS and external hard drives are not designed with security in mind they are designed for end user ease of access. If one is so worried about the My Cloud being easily accessible or hacked then one can use third party encryption software to encrypt their files (or backups) there by bypassing the basic security and reset nature of the My Cloud.
Phones are intended to be carried in non-secure locations (outside your house). They are small and easily forgotten, lost or stolen. They are a computing platform, running apps that have financial implications. They need better security than a server, depending on what you store on the server.
My policy on using the MyCloud is to store nothing on it that would cause anything more than minor embarrassment were it to be stolen or hacked. Anything I want secured is either air-gapped or encrypted, or both. My main concern about theft is loss of data, so I have an independent backup.
Encryption only gains you time against a competent and determined attacker. You are unlikely to encounter that unless you have been specifically targeted for some reason. The vast majority of domestic thefts will end up sold on with no interest in the data whatever; those who want your personal data are already hoovering it up with your permission…
Exactly, comparing a cell phone to a consumer grade NAS designed for the home environment is an apples to oranges comparison. The security needs for each device are designed for their intended tasks. Don’t know about newer cell phones but older ones from as recently as two or three years ago generally did not come with encryption enabled out of the box nor was screen lock typically enabled out of the box. Currently there are various methods police can use (with a warrant in the United States) to gain access to even an encrypted cell phone or computer.
If one takes their security seriously then as you indicate there are various steps they would take regardless of what security the device may have. From air gapping the NAS/local network to placing the device in a locked cabinet to running third party file encryption. But in the end all one is doing is slowing down a determined attacker/hacker.
When a product allows you to create users and grant permissions and control user access, the product is implying that the each users are prohibited from looking at other peoples data.
Yet, the admin password can be rest by pressing the pinhole which gives full access is a flaw.
I guess security means different for different people.
I at least am not missing your point. I fully understand what you feel is a flaw. When one does a 4 second reset only the administrator account password is reset to blank. Being reset to blank is no different than being reset to “password”, “admin” or some similar generic well known password that other devices default too when reset. A person still have access to the device even with the generic password. Once someone has admin access to a device they generally have full and complete access to all user data on that device through various means including assigning the admin as a full rights user of other user’s data/files/shares.
Now the 40 second reset is different in that it will reset all Shares to Public and remove all User accounts in addition to resetting the Admin password to blank. Could that be seen as a “security flaw”? On business/enterprise class device, yes it would be. On a cheap/low cost home consumer device, probably not. If you need better security on a cheep/low cost home NAS then look elsewhere or find other methods to encrypt the data. On the flip side some will see the 40 second reset of all shares to public as a good thing in that they can access a user’s data if that user forgot their password and the person doesn’t remember the administrator password. And yes it has happened before as I believe there is even a post or three here asking about password recovery.
Even without the reset button resetting the permissions on the Shares, because of the design of the single bay My Cloud, one simply pulls the hard drive from the enclosure and they’ll have full access to all user data on that drive regardless of the password used in the Dashboard. Good news in that it is one way of recovering data if the firmware becomes corrupted. If one is so concerned, simply fill the reset hole with epoxy or the like so the reset button cannot be used, of course the down side is not being able to reset the unit if you forget the administrator password.
Yes, I agree that anyone can remove the hard disk out but that is true for any kind of devices.
I was just surprised that the password was reset to blank. I would rather not have this “feature” to reset password but have somewhat more sophisticated authentication/authorization process for password reset.
Then find another NAS device that has the security you want it to have, just don’t be surprised if other consumer level devices are similar. For example the Synology DiskStation NAS is somewhat similar in that you can reset the DiskStation administrator password back to the well known default which would then allow anyone to gain access to the admin interface using the default password and make changes to the NAS and user folder permissions.
And on the Seagate GoFlex a 3 second press of the reset button will reset the password. And a 10 second reset will delete all user credentials from the unit, but it will leave the data intact.
We completely understand how resetting the password back to blank can seem like a bad feature, but we have to treat the ability to do so as a requirement precisely for the reasons Bennor and Cpt_paranoia have outlined. We have no choice in the matter.
You say that the password is set to blank. Yet the code in the /usr/local/sbin/resetButtonAcrtion.sh contains the following code.
echo “root:welc0me” | chpasswd
If one is worried about the security flaw of resetting the admin password to the defalt value.
Then edit the resetButtonAcrtion.sh file to contain a different password on reset.
Doesn’t changing the password in the echo "root:welc0me" | chpasswd line in the /usr/local/sbin/resetButtonAcrtion.sh only affect the SSH/Root password and not the actual administrator password? Isn’t it the code right above that line that appears to remove the administrator password?
I guess I’m confused about administrator and root password. On my system
the owner is george. So the password for george would be set to blank. The root password would be set to welc0me. There is no admin user in my /etc/passwd.
I was under the impression that the admin and root passwords were the same.
It appears the root and administrator account are different. If look at the /etc/group file it will probably list George as the administrator. Chance are you changed the admin user name after the initial login to the Dashboard.
I was not implying that you represent WD.