Earlier today, a user posted a thread asking a very reasonable question about a well-known ‘internet of things’ search engine that has been around since 2009, and is widely used by ‘white hat’ security analysts, as well as ‘black hat’ hackers…
This user raised an important issue that this search engine revealed a significant number (~1700) of MyCloud devices that are visible to the world, including their contents.
The thread has been deleted.
A few words to whoever was responsible for this deletion:
You cannot make this search engine go away just by trying to stop your customers from finding out about it through this forum. It’s the second hit on a simple google search.
The ‘black hat’ hackers know about it, and will use it to exploit vulnerable devices.
Don’t you think it’s better that people know that their devices may be open to the internet, and advise them how to take steps to secure them, rather than trying to pretend these vulnerabilites don’t exist?
If you don’t want your customers to know about ‘nasty things on the Internet’, are you taking steps to use this search engine to find your products that are vulnerable, and informing your customers that their devices are vulnerable, and how they can fix the problem?
Which is why a unversal password, would be a good option? would this also require a password to view these files found thru this meathod, if implemented?
Well, Shodan is no secret and I use it quite a lot for my work.
Yes: that was my point; these tools are not secret, so there’s no point trying to hide the fact from WD users by deleting threads that mention them. In fact, it would be an idea to suggest that MyCloud users use these tools to see if their devices are exposed in the manner you (and the deleted thread) point out…
The questions for WD are: Why are these devices exposed? What settings have their users made that allow their devices to be open to the internet? What must be changed to stop them being visible?
I’ve tried to avoid posting these days but just can’t help it haha.
I shall not go in details about the scanning tools as some were already mentioned, one of it is the readily available netcat on most nix even our nas.
I have not read the deleted thread but think it was removed to avoid unnecessary panic to the cloud users?
In our wd nas, by default there’s ‘only’ two ports exposed to the world if you enabled the cloud access thingy, the http and https (not the common 80/443 and http used for dns check, data/auth uses https). This is either you map it manually as per the dashboard settings or automatically hole punched via upnp if your router supports. This two ports opens your nas shares to the world via webdav according to your existing users and shares to allow you to login access them externally. You don’t have to worry much about username and password, look for my buried post about webdav/sqlite of how the authentications being done. Even in the event of a dictionary brute force attacks (on this 650MHz duo core, really? Think the nas will hang just after few minutes of attack lol), one still need to match the hash crypt username and password.
Long story short, it is still partially users responsibilities to ensure a strong username and password because nothing is impossible to break it just takes time to accomplish or discovered. If a user really have sensitive data on the nas, then cloud is not the place, turn them off.
Wonder how many of those WD My Clouds that are exposed are being exposed because the user has put the device into the “DMZ” mode, or outside their broadband gateway/router’s firewall, or have manually opened up ports through their broadband gateway/router to the device (like for FTP or even SSH access).
In any even there is an inherit risk associated with enabling remote access to any device on one’s local network.
Wonder how many of those WD My Clouds that are exposed are being exposed because the user has put the device into the “DMZ” mode […]
Yes, I’d like to know to reassure myself that it’s down to ‘user error’, and not a simple setting on the MyCloud. The fact that the search engine isn’t finding 100s of 1000s of devices shows it’s not a basic fault, but something unusual. I’d just like to know what it is so I know not to do it…
Yes, I’d like to know to reassure myself that it’s down to ‘user error’
… or “user ignorance” for that matter.
There’s numerous posts in this very forum instructing people to put their devices in the DMZ to make them “work.” Plenty of others on how to port-forward SAMBA (which means the Public share is exposed since it’s unsecured.)
Plenty of other posts on other forums about how to punch holes and modify the Twonky configs to allow remote streaming.
The ordinary joe is just naive to the extreme… And like anything else on the internet, bad advice spreads just as fast as good.
Yes, I’d like to know to reassure myself that it’s down to ‘user error’, and not a simple setting on the MyCloud. The fact that the search engine isn’t finding 100s of 1000s of devices shows it’s not a basic fault, but something unusual. I’d just like to know what it is so I know not to do it…
My guess is it is end user specific configuration that is causing those units to be exposed and scanned. There really are only a few basic ways to gain unauthorized remote access and most of those ways would involve the Firewall on the end user’s broadband router/gateway to forward the WAN traffic to the local LAN or a flaw in either the WD apps (or WD2Go site) or in other internet capable apps on the end user’s computer.
As we’ve seen there have been one or maybe two other threads (like this one) where people claim their My Clouds were hacked or unauthorized persons were able to gain access. Its not clear in any of those prior threads if that was really the case and if it wasn’t caused by end user specific configuration or port forwarding. I know in one thread a user claimed that simply providing a URL to a specific file generated by the WD My Cloud Desktop app provided access to all the public share contents, but it was shown that that was probably unlikely due to the nature of how the remote URL for a specific file was generated by the WD My Cloud Desktop program.
