WD MyCloud WDBCTL0060HWT noob security Qs

Hello, first post here, so I hope it won’t get bashed too much :slight_smile:
Okay, so I just received a second hand WD My Cloud 6 TB ( WDBCTL0060HWT-EESN ). I was reading thru the community and the latest firmware still vulnerable thread and couple security articles. My device came with v04.05.00-320 already from the previous owner and my first actions was to set Cloud Access to disabled, change the device network name. run “Quick Restore”, set user password. I’d like to get your opinion on following things:
Q1) Is this sufficient to consider the device “factory-clean” in case it faced security breach earlier in it’s life? I noticed after the Quick Restore, that the device has 1.5GB “Other” on the Home -> Capacity graph. Is this normal for empty device?
Q2) Does firmware v04.05.00-320 have all the open issues listed for v02 or most critical problems are fixed in v4?
Q3) I could not find any information about encryption of the drive… Is this possible? If I get it right, with “4 Second Reset (Reset with Power On)” procedure described in ( https://support.wdc.com/knowledgebase/answer.aspx?ID=13986 ) anyone with physical access can reset the admin password and hi-jack the device… Also no option to encrypt the disk drive. Meaning in case of physical theft it is a matter of under 1 minute to get full access. is this correct?

Thanks and looking forward to your answers.

Regards,
Pavel

A Quick Restore (performed through the My Cloud Dashboard > Settings > Utilities section) is supposed to erase all user data and reset the My cloud Settings back to default values. A 4 second reset or 40 second reset is NOT the same as a Quick Restore. The 4/40 second reset only resets certain My Cloud settings it does not remove user files.

Sometimes the capacity section of the Dashboard Home page is wrong or off. It is entirely possible the previous owner modified the firmware or added hidden folders that might account for the discrepancy 1.5GB in Other.

One suggestion is to download the latest v4.x firmware from the WD Support website and manually update the My Cloud using the Dashboard > Settings > Firmware page. Then perform a “Full Restore” which may/will take a significant amount of time. A full restore securely erases user data where as a quick restore only deletes user data which may potentially be recoverable.

We are users such as yourself here. Unless someone retests the latest v2.x and v4.x firmware to see if the various vulnerabilities have been patched, we can only go by what WD has claimed. One can read the firmware release notes to see what CVE’s have supposedly been addressed.

The “Latest firmware still vulnerable” thread indicated (or links in that thread indicated) that the v4.x firmware is not subject to certain vulnerabilities that affected the v2.x firmware.

Disabling Remote/Cloud Access, and disabling or not enabling FTP is one method of securing the My Cloud. While it will help prevent unwanted access from the internet it doesn’t prevent access from anyone who has access to your local network (both wired and WiFi). Securing one’s network is a multi layered/tiered approach. Once you secure the My Cloud one also needs to ensure their local network, local network router, and all devices on it are likewise secure including up to date with their latest updates (both software and firmware/hardware).

Officially no. The single bay My Cloud units do not officially support drive encryption (hardware or software) through the My Cloud Dashboard or the unit’s firmware/hardware.

Unofficially one can use various third party security software to encrypt files/folders on the My Cloud. One can use the forum search feature (magnifying glass icon upper right) to search for past discussions (there are a couple) on encrypting the single bay My Cloud units.

Yes, anyone who has physical access to the My Cloud (or most consumer grade NAS devices) can reset the device to gain access to content that was configured for restricted access. Or they could simply remove the internal hard drive from the My Cloud enclosure. One could always secure the My Cloud device in an enclosure or safe if they are concerned about someone gaining physical access to the device. Otherwise anyone who has access to the local network or local wifi also potentially can gain access (either through various unpatched vulnerabilities) or through any Public Share.

If one hasn’t done so they should read the My Cloud User Manual (https://support.wdc.com/product.aspx?ID=904) to learn how to create users and secure Shares (set Shares to Private) in addition to setting the My Cloud Dashboard to use a password for access.

1 Like

V4 firmware is for the gen1 devices, and is an entirely different implementation.

V2 firmware is for the later gen2 devices.

Yes, we know v4 should be more recent than v2, but that’s not how WD have chosen to name things…

And no, you can’t load v2 firmware on gen1 devices, or v4 firmware on gen 2 devices…

1 Like

Thank you for your detailed reply! I will follow your advice to re-import the latest firmware and go for the full reset… I stopped this procedure after I got 2% progress for like 12h… I also fully agree with the statement that security needs to be applied at all levels :slight_smile:

thank you - i did not know that … very interesting! :slight_smile: