Western Digital My Book Live devices being remotely wiped by attackers

Posted:
in General Discussion
Those who own devices in Western Digital's My Book Live line woke up on Wednesday to find their devices have been wiped clean in an attack being attributed to malware.

Image Credit: Western Digital forum user sunpeak
Image Credit: Western Digital forum user sunpeak


Western Digital customers worldwide are discovering that years of data have been wiped clean without a trace and seemingly factory reset. Additionally, users cannot log into their devices with their user-set passwords or the manufacturer's default password.

The issue is currently known only to affect My Book Live devices, which saw their final firmware update in 2015. The devices were sold from 2010 until 2014, but have been discontinued since then.

While the issue was initially thought only to affect a few users, more users are taking to the forums to report that their devices have also been wiped. However, it is not currently known how many users are being affected.

It seems as though My Book Live devices received a remote command on June 23 to begin a factory restore on June 23, with the script set to run overnight.

BleepingComputer points out that WD's My Book line isn't connected to the internet the same way that QNAP devices are. This, in theory, prevents them from being exposed to QLocker ransomware attacks.

Instead, WD My Book Live devices are stored behind a firewall and are accessed via the My Book Live app or through internet browsers. Some users suspect that Western Digital's servers were hacked, allowing a bad actor to send out a remote factory reset command.

Western Digital told BleepingComputer that they are investigating the attacks but do not believe that its servers are at fault. Instead, they suggest an unpatched vulnerability is the cause of the problem.

Currently, this attack is suggested to only be destructive in nature. There have been no reports of any party asking for ransom.

It appears that Western Digital knew about the security flaw well before the recent exploitation. Western Digital forum user "thetick" reports finding reports of the vulnerability that allows for remote command execution as far back as 2019.

Years earlier, Western Digital told WisCase that they were no longer responsible for My Book Live devices. At the time, the company considered them "legacy devices" since they had been discontinued years prior.

To prevent further loss of data, Western Digital advises users to unplug My Book Live devices from the internet as soon as possible.

Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.

Comments

  • Reply 1 of 18
    DAalsethDAalseth Posts: 2,800member
    Kinda torn on this. On one hand if WD knew that's bad. But if WD knew but had declared them legacy well before and no longer supported them, well, that's the risk. Shouldn't be using such an archaic device for critical storage. Would we expect Apple to patch a vulnerability in Bondi Blue iMacs at this point? OTOH the newest of these would just be barely seven years old. That's not that far back. I don't know. 🤷
    watto_cobra
  • Reply 2 of 18
    cincyteecincytee Posts: 410member
    DAalseth said:
    Kinda torn on this. On one hand if WD knew that's bad. But if WD knew but had declared them legacy well before and no longer supported them, well, that's the risk. Shouldn't be using such an archaic device for critical storage. Would we expect Apple to patch a vulnerability in Bondi Blue iMacs at this point? OTOH the newest of these would just be barely seven years old. That's not that far back. I don't know. 🤷

    I have no problem with declaring products "legacy" and offering no new functional upgrades or support for normal drive failures or software compatibility, but this kind of critical flaw, if known to them, should have been patched. Having your data remotely wiped is well beyond the normal "it's old, so it won't do everything the new version will" risk of using older hardware.
    sbdudethtmuthuk_vanalingamJanNLAlex_VdysamoriaFileMakerFellerwatto_cobra
  • Reply 3 of 18
    j2fusionj2fusion Posts: 153member
    cincytee said:
    DAalseth said:
    Kinda torn on this. On one hand if WD knew that's bad. But if WD knew but had declared them legacy well before and no longer supported them, well, that's the risk. Shouldn't be using such an archaic device for critical storage. Would we expect Apple to patch a vulnerability in Bondi Blue iMacs at this point? OTOH the newest of these would just be barely seven years old. That's not that far back. I don't know. ߤ禬t;/div>

    I have no problem with declaring products "legacy" and offering no new functional upgrades or support for normal drive failures or software compatibility, but this kind of critical flaw, if known to them, should have been patched. Having your data remotely wiped is well beyond the normal "it's old, so it won't do everything the new version will" risk of using older hardware.
    I think the key point is WD still provided the remote sign on mechanism and remote access to the drive. If they declared it “legacy” then they should have disabled remote access if they weren’t going to provide security patches and have it function as stand alone hard drive. I get the comparison to the Bondi Mac but that is a stand alone device and not tied in to other services.  
    edited June 2021 CloudTalkindocno42chiathtcincyteewilliamhtenthousandthingsJanNLdysamoriaFileMakerFeller
  • Reply 4 of 18
    docno42docno42 Posts: 3,757member
    Ah, the discipline of "computer science"

    Could you imagine if a professional engineer abandoned maintenance on some piece of critical infrastructure and put the onus on the users?  

    F**king IT is a joke.  I've never been more ashamed of my industry than here we are 40 years later and this shit is still happening.  Except now being limited to damage that could be done through a floppy or maybe over modem through the wonders of the Internet all this haphazardly created and maintained shit can be touched by anyone from anywhere in the world.

    Brilliant!
    thtmuthuk_vanalingamdysamoriadewmeFileMakerFeller
  • Reply 5 of 18
    rayboraybo Posts: 42member
    Most tech-oriented folks know to replace mechanical drives at least every 4 or 5 years, but most everyone is a not a techie. This is abhorrent...
    FileMakerFellerwatto_cobra
  • Reply 6 of 18
    sbdudesbdude Posts: 268member
    DAalseth said:
    Kinda torn on this. On one hand if WD knew that's bad. But if WD knew but had declared them legacy well before and no longer supported them, well, that's the risk. Shouldn't be using such an archaic device for critical storage. Would we expect Apple to patch a vulnerability in Bondi Blue iMacs at this point? OTOH the newest of these would just be barely seven years old. That's not that far back. I don't know. 🤷

    Completely agree. I think WD has some culpability here if they new their legacy firmware was exploitable and didn't notify the consumer. How else would the consumer know to be wary? I'd recommend against espousing this point of view on 9to5mac. That will get you tossed out on the street.
    FileMakerFeller
  • Reply 7 of 18
    DAalsethDAalseth Posts: 2,800member
    cincytee said:
    DAalseth said:
    Kinda torn on this. On one hand if WD knew that's bad. But if WD knew but had declared them legacy well before and no longer supported them, well, that's the risk. Shouldn't be using such an archaic device for critical storage. Would we expect Apple to patch a vulnerability in Bondi Blue iMacs at this point? OTOH the newest of these would just be barely seven years old. That's not that far back. I don't know. 🤷

    I have no problem with declaring products "legacy" and offering no new functional upgrades or support for normal drive failures or software compatibility, but this kind of critical flaw, if known to them, should have been patched. Having your data remotely wiped is well beyond the normal "it's old, so it won't do everything the new version will" risk of using older hardware.
    Now if as @j2fusion mentioned above WD is still providing the remote login mechanism, then legacy or not they ARE supporting them. In that case they would have an obligation to patch a critical flaw like this. 
    cincyteewilliamhFileMakerFellerwatto_cobra
  • Reply 8 of 18
    MplsPMplsP Posts: 3,956member
    This is a perfect example of why I have redundant backups - iCloud for cloud based storage & syncing, time machine for routine backups then a separate external drive that I connect a couple times a month with a separate incremental backup. Even if I get hit with some ransomware I have a separate, discrete backup that allows me to simply wipe the computer and restore without losing much data.

    I feel bad for these folks, but it appears that they were using their WD hard drives as their sole data repository. Rule number one of backups is to use a separate discrete device in case your primary device crashes.
    edited June 2021
  • Reply 9 of 18
    DAalsethDAalseth Posts: 2,800member
    MplsP said:
    This is a perfect example of why I have redundant backups - iCloud for cloud based storage & syncing, time machine for routine backups then a separate external drive that I connect a couple times a month with a separate incremental backup. Even if I get hit with some ransomware I have a separate, discrete backup that allows me to simply wipe the computer and restore without losing much data.

    I feel bad for these folks, but it appears that they were using their WD hard drives as their sole data repository. Rule number one of backups is to use a separate discrete device in case your primary device crashes.
    Exactly, the first rule is to have multiple backups in multiple locations. 
    Last winter the drives in my older iMacs started getting flaky. (That’s the second rule, if a drive acts up replace it before it fails completely.) I replaced them with SSDs, and then I had the choice of restoring from the old drive, TimeMachine backups, iCloud, or my off site storage disk. As it turned out I used a bit of all of them for different things. 
    watto_cobra
  • Reply 10 of 18
    avon b7avon b7 Posts: 7,747member
    With a little luck legislation will pass that will force companies to support products for longer and make support tems known to customers at purchase time.

    If a product needs some kind of vendor software to fulfil its advertised use, then that should be maintained for the life of the product. There is little obligation to add new features but patching security vulnerabilities should be an obligation, along with fixing bricked or otherwise impacted out of warranty devices that suffer due to firmware upgrades etc.

    There needs to be a huge change in mentality in this area and there's no doubt in my mind that a yearly upgrade cycle for major software is too fast to manage safely. 
    FileMakerFeller
  • Reply 11 of 18
    While this isn’t WD related i have had serious problems with two different macs restarting out of the blue stating serious problems, when i comb through the reports i found that an update to 1Password app was appearing in random applications like Photoshop among other apps and was causing kernel panics, had to use Terminal to kill 1password at root so i could delete the app and related files. so far so good, i haven’t see anyone else report having this issue but it’s something to watch for, system showed 1password updated on the 15th, even though i didn’t authorize the update
  • Reply 12 of 18
    When I was teaching intro IT courses I used to say there were three kinds of backup - SBB, HBB and PBB, being software, hardware and prayer based backup, the latter being ‘I’m praying I never need a backup’
    watto_cobra
  • Reply 13 of 18
    dysamoriadysamoria Posts: 3,430member
    docno42 said:
    Ah, the discipline of "computer science"

    Could you imagine if a professional engineer abandoned maintenance on some piece of critical infrastructure and put the onus on the users?  

    F**king IT is a joke.  I've never been more ashamed of my industry than here we are 40 years later and this shit is still happening.  Except now being limited to damage that could be done through a floppy or maybe over modem through the wonders of the Internet all this haphazardly created and maintained shit can be touched by anyone from anywhere in the world.

    Brilliant!
    Nice to meet a fellow recognizer of reality. An awake person.

    The computer industry is a dumpster fire. It’s not just bad products; it’s an utterly toxic culture of hypernormalization. 
  • Reply 14 of 18
    avon b7 said:
    With a little luck legislation will pass that will force companies to support products for longer and make support tems known to customers at purchase time.

    If a product needs some kind of vendor software to fulfil its advertised use, then that should be maintained for the life of the product. There is little obligation to add new features but patching security vulnerabilities should be an obligation, along with fixing bricked or otherwise impacted out of warranty devices that suffer due to firmware upgrades etc.

    There needs to be a huge change in mentality in this area and there's no doubt in my mind that a yearly upgrade cycle for major software is too fast to manage safely. 
    Careful what you wish for:  Adding legislative requirements will likely increase initial purchase price.  It would only apply to the countries/states that enacted the legislation.    Imagine if Microsoft was required to support Internet Explorer for another 7-10 years...  IE won't run on Windows 11, and will no longer be supported on Win10 in about a year.  IE hasn't been supported on a handful of other OS's for a long time.  Sometimes you can buy legacy support for some products (generally at high prices).  I understand one US Government department was still paying for OS/2 operating system support from IBM fairly recently, which must be an extreme example.  Microsoft sometimes offers support for software products to corporations after normal end of life, generally for a fairly high price.  Other software and hardware suppliers have similar policies.  Usually, paid support after end of life is not made available to individuals.  Companies can sometimes have third party support after end of life for hardware/software (also at relatively high prices).

    New legislation would likely only apply for purchases made after the date such legislation was enacted.  In the case of software and hardware, the warranty generally explicitly defines support length.  Most software and hardware warranties limit liability, state that if you disagree, your option is to return the item. Many say that disputes must be settled by arbitration (not in court), and that if you do not win the arbitration, you pay the cost of arbitration (including any costs incurred by the other party).  End of life in software and hardware is generally defined on the manufacturer's website, and does not mean the length of time the device/software will actually run.  I still see Win95 occasionally, and suspect there are some pre-WinTel PCs (Z80s and such), and pre-Intel Macs (Motorola 68000) still running, but neither has been supported for a long time.  

    Such legislation would potentially lead to similar legislation against car/truck manufacturers, car/truck parts manufacturers, appliance makers, financial products, food items...   
    edited June 2021 tmayFileMakerFeller
  • Reply 15 of 18
    avon b7avon b7 Posts: 7,747member
    avon b7 said:
    With a little luck legislation will pass that will force companies to support products for longer and make support tems known to customers at purchase time.

    If a product needs some kind of vendor software to fulfil its advertised use, then that should be maintained for the life of the product. There is little obligation to add new features but patching security vulnerabilities should be an obligation, along with fixing bricked or otherwise impacted out of warranty devices that suffer due to firmware upgrades etc.

    There needs to be a huge change in mentality in this area and there's no doubt in my mind that a yearly upgrade cycle for major software is too fast to manage safely. 
    Careful what you wish for:  Adding legislative requirements will likely increase initial purchase price.  It would only apply to the countries/states that enacted the legislation.    Imagine if Microsoft was required to support Internet Explorer for another 7-10 years...  IE won't run on Windows 11, and will no longer be supported on Win10 in about a year.  IE hasn't been supported on a handful of other OS's for a long time.  Sometimes you can buy legacy support for some products (generally at high prices).  I understand one US Government department was still paying for OS/2 operating system support from IBM fairly recently, which must be an extreme example.  Microsoft sometimes offers support for software products to corporations after normal end of life, generally for a fairly high price.  Other software and hardware suppliers have similar policies.  Usually, paid support after end of life is not made available to individuals.  Companies can sometimes have third party support after end of life for hardware/software (also at relatively high prices).

    New legislation would likely only apply for purchases made after the date such legislation was enacted.  In the case of software and hardware, the warranty generally explicitly defines support length.  Most software and hardware warranties limit liability, state that if you disagree, your option is to return the item. Many say that disputes must be settled by arbitration (not in court), and that if you do not win the arbitration, you pay the cost of arbitration (including any costs incurred by the other party).  End of life in software and hardware is generally defined on the manufacturer's website, and does not mean the length of time the device/software will actually run.  I still see Win95 occasionally, and suspect there are some pre-WinTel PCs (Z80s and such), and pre-Intel Macs (Motorola 68000) still running, but neither has been supported for a long time.  

    Such legislation would potentially lead to similar legislation against car/truck manufacturers, car/truck parts manufacturers, appliance makers, financial products, food items...   
    A variant of what I am proposing is already being looked at by the EU.

    It absolutely has to be controlled via legislation. Oversight, auditing, complaint resolution etc can be carried out by independent bodies.

    As we move deeper and deeper into the digital data age, it is an absolute requirement that users know, prior to purchase, what they are buying.

    My Samsung 'smart' TV was sold with a ton of features that were gradually switched off or broke over time. Often with a message that popped up once or twice when the device was switched on and never seen again. Firmware updates 'broke' things that worked previously. Interaction with other devices was supposed to work but the pointers to software that needed installing or for host devices didn't exist or wasn't compatible with host operating systems. 

    Product safety/security goes beyond the official warranty of the product itself. It should be maintained throughout the life of the device. In the digital data age security is relevant to our data and anything that has access to it should be maintained to prevent holes being exploited.

    Cost is something the user and legislation will determine but when it is for security it should be built into the price.

    There is zero good reason for the current yearly major upgrade cycle on mobile OS. We are seeing a lot of fluff being added anyway. Perhaps if development of major releases was slowed down a bit, quality and user security could be improved. It is only now that Apple is finally allowing users to sit on the existing OS  and not literally pushing them via incessant nags to upgrade to the latest and greatest. It's a good move.

    The only way to guarantee a level playing field is to legislate the whole support and security angle. It should include firmware upgrades that can be undone and the option to cleanly roll back to previous versions of the OS and applications.

    There also needs to be far greater transparency towards government on flaws and knowns security issues but at the very least, consumers need to know what they are getting into (in terms of security support) prior to purchase not have that information 'hidden' in an EULA. 
    edited June 2021 muthuk_vanalingam
  • Reply 16 of 18
    tmaytmay Posts: 6,363member
    avon b7 said:
    There is zero good reason for the current yearly major upgrade cycle on mobile OS. We are seeing a lot of fluff being added anyway. Perhaps if development of major releases was slowed down a bit, quality and user security could be improved. It is only now that Apple is finally allowing users to sit on the existing OS  and not literally pushing them via incessant nags to upgrade to the latest and greatest. It's a good move.
    That's not actually a reasonable idea, and I don't suspect that it would ever be considered by regulators.

    First of all, there are always new hardware features and functionality that have to be accommodated, and secondly, for those users that have a breadth of apple products, those interactions require keeping all devices up to date.

    Example; Universal Control 

    As you state, a person has the option of not updating at all. For myself, I find it reasonable to hold off updating for something on the order of 3 or 4 days, since most of the bugs will be picked up by early adopters. Sucks to be them, but that's a choice.

    The only way to guarantee a level playing field is to legislate the whole support and security angle. It should include firmware upgrades that can be undone and the option to cleanly roll back to previous versions of the OS and applications.
    That's also a bad idea. Apple could certainly rename and re-sign an update if it was as bad as I think that you imagine, and certainly has done that in the past, but in recent releases, the worst case is typically a few 10's of thousands effected by major bugs, out of a billion plus user base, and Apple's response has been within a few days.

    Now regulators could argue for a staggered release, but how would that work, and how would you measure the success of each step, prior to updating the next groups?

    I agree that Apple needs to do better on bugs, and I believe that they have, but with a user base as large as Apple's, bugs are still going to effect some people.
    FileMakerFeller
  • Reply 17 of 18
    All I know is that I will never purchase another WD product or drive again, and I use quite a bit of their product in my line of work.  Even Microsoft released a security patch for it's "obsolete" Windows XP product when made aware of a serious threat.  WD could have done the same.  At the very least, email the registered users 2 years ago when they were aware of this vulnerability.  Don't email me AFTER my drive was wiped, too little, too late.
  • Reply 18 of 18
    sbdude said:
    DAalseth said:
    Kinda torn on this. On one hand if WD knew that's bad. But if WD knew but had declared them legacy well before and no longer supported them, well, that's the risk. Shouldn't be using such an archaic device for critical storage. Would we expect Apple to patch a vulnerability in Bondi Blue iMacs at this point? OTOH the newest of these would just be barely seven years old. That's not that far back. I don't know. 🤷

    Completely agree. I think WD has some culpability here if they new their legacy firmware was exploitable and didn't notify the consumer. How else would the consumer know to be wary? I'd recommend against espousing this point of view on 9to5mac. That will get you tossed out on the street.
    I received an email with a warning to disconnect my drive 3 days AFTER mine was wiped.  Had they emailed me back in 2019...
Sign In or Register to comment.