Don't trust cloud devices

Read time 2min 10sec

While marketing material around certain personal cloud devices indicates they are entirely secure, independent security researcher Jeremy Brown begs to differ.

The security expert recently spent four days hacking three personal cloud devices, namely Western Digital's My Cloud, Akitio's MyCloud and Seagate Central.

He outlined his research yesterday at ITWeb Security Summit 2015, in Midrand.

His four-day excavation revealed "doom and gloom" when it comes to users' security, which Brown said is really the opposite - insecurity.

"And why should I care? Because I want to know, for example, how vulnerable my car is; if my router has hardcoded credentials; if the crypto I am using is backdoored; and how much privacy I have on my phone."

Basically, you might want to know what happens when you plug the cloud into your network, said Brown.

A personal cloud, as Brown defined it, is a collection of digital content and services accessible from any device. There are four primary types: online clouds, network-attached storage device clouds, server device clouds, and homemade clouds.

Three of the big players in this general space are Western Digital, Seagate and Akitio. And if their marketing material is anything to go by, "your data is always safe and completely under your control"; they "ensure your data is safe and accessible from anywhere"; and they also provide "safe and secure network storage".

But, from plug-in, noted Brown, cracks started to show. At the end of his hacking experiment, Brown rated the overall security of the Seagate, Akitio and Western Digital devices at 2/10, 1/10 and 1/10, respectively.

The bottom line, he commented, is the companies behind the cloud devices "obviously don't care enough about security". He noted security is number 19 on their priority list, with usability topping it and performance at number two.

"Clearly, the major players have taken a huge step back for security in this space."

The solutions, said Brown, are either to root the device yourself and disable everything ("kinda defeats the point of buying a cloud, right?"), or just not to buy these devices to begin with.

"Vendors must completely rethink how they work, [but] as of today, don't trust personal cloud devices. The 'cloud' in general is just a marketing lie."

Login with