Friday, June 25th 2021

Western Digital: Disconnect WD My Book Live External HDDs From the Internet Immediately

Western Digital has issued a recommendation for all owners of the company's My Book Live and My Book Live Duo products - immediately disconnect them from the Internet or risk full data loss. The warning has come after reports started surfacing on distraught users of WD's My Book Live having their entire data deleted without any sort of user interaction or intervention. The recommendation will stay until the company can investigate and solve the issue that has led to the deletion of terabytes of data around the world.

Apparently, factory resets were undertaken on the drives without any sort of user interaction. Some users have shared logs on what exactly happened. Western Digital stopped supporting their My Book Live products back in 2015, which means there are now six full years of operation (at the least) without any security updates. WD seems to believe that individual user accounts were compromised, and the company issued a statement regarding the ongoing investigation. If you have one of these products, take heed, and disconnect them from your network.
Sources: via Ars Technica, Western Digital, TechPowerUp Forums
Add your own comment

37 Comments on Western Digital: Disconnect WD My Book Live External HDDs From the Internet Immediately

#1
BSim500
And this is why any sane backup strategy will always have multiple backups of which at least 1x will be offline 99% of the time...
Posted on Reply
#2
TheLostSwede
I know someone that was using one of these up until last month. Lucky coincidence he just bought a proper NAS.
Posted on Reply
#3
DeathtoGnomes
[tinhat on] someone had some damning evidence on one of those drives and the government needed to get rid of it. What better way than to cause a scandal such as this to cover destroying that one drive by hacking the lot of them? either that or the hacker doing this just wasnt good enough to limit the scope. [/tinhat off]

I feel bad for that effort wasted on downloaded porn saved on them drives... :D :roll:
Posted on Reply
#4
Yttersta
Wow, a device without any security updates for 6 years. This was bound to happen and I don't think even 1% of the blame is on the consumer here. A device sold under a "free cloud for life" marketing as such should be covered for security for as long as its lifespan. And clearly, the drives have had a longer lifespan than the utter pillocks who made the decision to pull support had predicted.
Posted on Reply
#5
turbogear
That' s one of the reasons why I use proper 4 bay NAS from Synology and which is not open to Internet.
Mine is now 8 years old but thankfully Synology still provides updates until now.
Posted on Reply
#6
Frick
Fishfaced Nincompoop
Western Digital WD My Book Live and WD My Book Live Duo (all versions) have a root Remote Command Execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,
nvd.nist.gov/vuln/detail/CVE-2018-18472

Basically another tale of how important it is to not have stuff needlessly connected to the Internet. The affected drives were discontinued in 2014, and the bug above was found in 2018.
Posted on Reply
#7
newtekie1
Semi-Retired Folder
turbogearThat' s one of the reasons why I use proper 4 bay NAS from Synology and which is not open to Internet.
Mine is now 8 years old but thankfully Synology still provides updates until now.
This is why I just use a proper server.
Posted on Reply
#8
turbogear
As long as the hackers only deleted the data but did not write new bits onto the HDD, there is possibility to recover it.
There are tools available like this one:
www.ccleaner.com/recuva#main-content

It happened ones to me that I accidentally chose wrong drive for quick format while wanted to install fresh copy of Windows onto my computer.
I was able to recover the whole data by using such a tool.
Posted on Reply
#9
Verpal
turbogearAs long as the hackers only deleted the data but did not write new bits onto the HDD, there is possibility to recover it.
There are tools available like this one:
www.ccleaner.com/recuva#main-content

It happened ones to me that I accidentally chose wrong drive for quick format while wanted to install fresh copy of Windows onto my computer.
I was able to recover the whole data by using such a tool.
Not that simple, if I remember correctly WD books can be encrypted, if you factory reset an encrypted drive, you are 1000% screwed.
Posted on Reply
#10
turbogear
VerpalNot that simple, if I remember correctly WD books can be encrypted, if you factory reset an encrypted drive, you are 1000% screwed.
Yes in that case, one is really screwed. :oops:
Posted on Reply
#11
Parn
Unbelievable. A product assoicated with "Cloud operation" but no security update for 6+ years?

I feel sorry for those who have lost their data. Hope they have some sort of regular offline backups. For those who still want to use these products as a standard NAS, they will have to create some routing rules on their routers to cut off WAN access from/to these WD boxes.
Posted on Reply
#12
Shihabyooo
And that is why I don't leave my unit powered up unless I'm using it, and have firewall rules for it at the router blocking any and all access to or from the internet.
But I guess it's time to salvage the drives in this PoS and use them in a safer, significantly better performing, classical fashion...
VerpalNot that simple, if I remember correctly WD books can be encrypted, if you factory reset an encrypted drive, you are 1000% screwed.
Iirc, the encryption is done transparently on the hardware level, factory reset doesn't affect these keys, afaik. I think the problem here would be that recovery software can't get direct filesystem access. Though I do agree that the encryption would become a problem when attempting to directly connect the internal drive through a SATA connection).
Posted on Reply
#13
Operandi
ParnUnbelievable. A product assoicated with "Cloud operation" but no security update for 6+ years?

I feel sorry for those who have lost their data. Hope they have some sort of regular offline backups. For those who still want to use these products as a standard NAS, they will have to create some routing rules on their routers to cut off WAN access from/to these WD boxes.
The problem here is expecting people using drives like this is to create custom network rules to isolate and insecure device because the vendor dropped the ball or lied about its life cycle (depending on how you look it) is unrealistic, they just want to plug something in and have it work. A 4 bay QNAP would be very scary and or out of their budget.

Tricky situation but I would say its on the user to have their data in more than one place, but its also on WD to keep up on security updates if thats the expectation of the product.
Posted on Reply
#14
Bill_Bright
As I noted elsewhere, this is not good. I sure hope, once all is done and over with we don't discover that this malware exploited a vulnerability WD already knew about but failed to act accordingly - as seems to be a major factor in most security breaches in the last few years.

That is, most hacks and breaches are successful because the IT security people in these organizations already knew of the vulnerability, had the necessary patch or fix (often for months!), but - due to shear laziness and lack of proper guidance from negligent upper management, they sat on their thumbs and neglected to install the patch or apply the fix. :mad: :banghead: :mad: :banghead:

If nothing else, as mentioned above, this should be yet another warning/reminder to everyone that we must all have "multiple" backups of any and all data we don't want to lose - and preferably with one copy maintained "off-site".
Posted on Reply
#15
Steevo
If they were smart they would offer a "trade" for new product at a slight discount and then offer a small fee subscription service for updated security software.


None of the internet attached devices will have a unlimited lifetime, hardware and software flaws are always going to be found and only offline local copies are immune to security issues.
Posted on Reply
#16
Bill_Bright
SteevoIf they were smart they would offer a "trade" for new product at a slight discount and then offer a small fee subscription service for updated security software.
That would be a smart marketing move. But I think a "deep" discount (rather than slight) would do better to keep WD users from jumping to a competing brand. This will be especially true if it turns out this was a known issue that easily could have been avoided.
Posted on Reply
#17
Chrispy_
Uh, if you're using something that's actively connected to the web and accessible from an external IP without security updates, you're either a moron or extremely ignorant.
Posted on Reply
#18
newtekie1
Semi-Retired Folder
ParnUnbelievable. A product assoicated with "Cloud operation" but no security update for 6+ years?
On one hand, you can't expect a company to support a product forever even if it is web connected.

However, WD support for these products was really crap. They came out in late 2011/early 2012. WD seems to have discontinued them by the end of 2012. Then they completely dropped support and stopped updating them in 2015. That is only 3 or maybe 4 years of support. That is pathetic for a web connected device that stores people's data. I'd expect 10 years of security updates at least. Maybe not feature updates, but at least security updates.
Chrispy_Uh, if you're using something that's actively connected to the web and accessible from an external IP without security updates, you're either a moron or extremely ignorant.
You gotta realize the people that buy these tend to be tech ignorant. I mean, how many people out there are running routers with significantly outdated firmware? Even the ones with an web-update function sit with outdated firmware because people never log into the interface and actually tell it to apply the update.
Posted on Reply
#19
Caring1
At least they should be happy their content wasn't downloaded then the drive reset.
I guess there would be some very nervous people wondering what happened to their data.
Posted on Reply
#20
Bill_Bright
Well, according to this WD security alert last updated yesterday,
We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.
That would indicate the users opened up access, exposing these devices to the outside world, without properly securing them. You can't blame WD if the user opens the front door and almost invites the bad guy in.

It does appear, however, that many users were able to recover their data with standard data recovery software, like Recuva. But of course, they should already have a backup copy of it anyway.
Posted on Reply
#21
MikeSnow
Hmm. I wonder if this is related to Chia farming.
Posted on Reply
#22
efikkan
Hook it up to the Internet, they said. It will be fun, they said. :rolleyes:
Posted on Reply
#23
newtekie1
Semi-Retired Folder
Bill_BrightThat would indicate the users opened up access, exposing these devices to the outside world, without properly securing them. You can't blame WD if the user opens the front door and almost invites the bad guy in.
Not if uPnP was used, then the device opened the port itself, possibly without the user even knowing it was happening.
Posted on Reply
#24
lexluthermiester
RaevenlordIf you have one of these products, take heed, and disconnect them from your network.
And this is yet another reason why people should ALWAYS keep things OFF the internet. There is absolutely no reason an external drive should be connected to the internet. Ever!

BTW, for those wondering, it would seem that the drive of subject in the above aritcle used the Universal Plug & Play protocol. Such a service should NEVER be allowed to run, regardless of the reason or need. It is a SwissCheese type security problem waiting to be exploited.
Posted on Reply
#25
Bill_Bright
newtekie1Not if uPnP was used, then the device opened the port itself, possibly without the user even knowing it was happening.
Just another reason to make sure UPnP is disabled. Sadly, some routers have that enabled by default which makes no sense to me.
Posted on Reply
Add your own comment
Copyright © 2004-2021 www.techpowerup.com. All rights reserved.
All trademarks used are properties of their respective owners.