This is exactly why my non-WD NAS sits behind a firewall with remote access off.
Miscreants can potentially gain admin-level control over Western Digital's My Cloud gear via an HTTP request over the network or internet. Researchers at infosec shop Securify revealed today the vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass …
And their customer service is so good (not).
I was thinking of getting a MyCloud, but I saw another post on El Reg that suggested ownCloud, which sounded interesting. I now have a new project where I'm going to take some old hardware and build my own home NAS with ownCloud - and lock out its IP number at the Internet firewall.
You might consider NextCloud. Mine is open to the world but securing IT stuff is my day job. If you are not sure then start with getting a VPN running for remote access to home. OpenVPN listening on 443/tcp looks very like a https website which can work nicely on many sites and you can even drill it through many web proxies if needed.
We had a WD device on our network. About a year ago.
I got the heebie jeebies when it was disclosed how to compromise it that I stole it out from underneath said user's desk and hid it somewhere. Of course there was a big outcry, but I kept schtum, because I did not want it back on the network, and they will not understand the reason why.
Now I'm glad I did so. One of the trickses us BOFH's had to do.
Biting the hand that feeds IT © 1998–2019