Western Digital My Book Live devices being remotely wiped by attackers
Those who own devices in Western Digital's My Book Live line woke up on Wednesday to find their devices have been wiped clean in an attack being attributed to malware.
Image Credit: Western Digital forum user sunpeak
Western Digital customers worldwide are discovering that years of data have been wiped clean without a trace and seemingly factory reset. Additionally, users cannot log into their devices with their user-set passwords or the manufacturer's default password.
The issue is currently known only to affect My Book Live devices, which saw their final firmware update in 2015. The devices were sold from 2010 until 2014, but have been discontinued since then.
While the issue was initially thought only to affect a few users, more users are taking to the forums to report that their devices have also been wiped. However, it is not currently known how many users are being affected.
It seems as though My Book Live devices received a remote command on June 23 to begin a factory restore on June 23, with the script set to run overnight.
BleepingComputer points out that WD's My Book line isn't connected to the internet the same way that QNAP devices are. This, in theory, prevents them from being exposed to QLocker ransomware attacks.
Instead, WD My Book Live devices are stored behind a firewall and are accessed via the My Book Live app or through internet browsers. Some users suspect that Western Digital's servers were hacked, allowing a bad actor to send out a remote factory reset command.
Western Digital told BleepingComputer that they are investigating the attacks but do not believe that its servers are at fault. Instead, they suggest an unpatched vulnerability is the cause of the problem.
Currently, this attack is suggested to only be destructive in nature. There have been no reports of any party asking for ransom.
It appears that Western Digital knew about the security flaw well before the recent exploitation. Western Digital forum user "thetick" reports finding reports of the vulnerability that allows for remote command execution as far back as 2019.
Years earlier, Western Digital told WisCase that they were no longer responsible for My Book Live devices. At the time, the company considered them "legacy devices" since they had been discontinued years prior.
To prevent further loss of data, Western Digital advises users to unplug My Book Live devices from the internet as soon as possible.
Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
Image Credit: Western Digital forum user sunpeak
Western Digital customers worldwide are discovering that years of data have been wiped clean without a trace and seemingly factory reset. Additionally, users cannot log into their devices with their user-set passwords or the manufacturer's default password.
The issue is currently known only to affect My Book Live devices, which saw their final firmware update in 2015. The devices were sold from 2010 until 2014, but have been discontinued since then.
While the issue was initially thought only to affect a few users, more users are taking to the forums to report that their devices have also been wiped. However, it is not currently known how many users are being affected.
It seems as though My Book Live devices received a remote command on June 23 to begin a factory restore on June 23, with the script set to run overnight.
BleepingComputer points out that WD's My Book line isn't connected to the internet the same way that QNAP devices are. This, in theory, prevents them from being exposed to QLocker ransomware attacks.
Instead, WD My Book Live devices are stored behind a firewall and are accessed via the My Book Live app or through internet browsers. Some users suspect that Western Digital's servers were hacked, allowing a bad actor to send out a remote factory reset command.
Western Digital told BleepingComputer that they are investigating the attacks but do not believe that its servers are at fault. Instead, they suggest an unpatched vulnerability is the cause of the problem.
Currently, this attack is suggested to only be destructive in nature. There have been no reports of any party asking for ransom.
It appears that Western Digital knew about the security flaw well before the recent exploitation. Western Digital forum user "thetick" reports finding reports of the vulnerability that allows for remote command execution as far back as 2019.
Years earlier, Western Digital told WisCase that they were no longer responsible for My Book Live devices. At the time, the company considered them "legacy devices" since they had been discontinued years prior.
To prevent further loss of data, Western Digital advises users to unplug My Book Live devices from the internet as soon as possible.
Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
Comments
I have no problem with declaring products "legacy" and offering no new functional upgrades or support for normal drive failures or software compatibility, but this kind of critical flaw, if known to them, should have been patched. Having your data remotely wiped is well beyond the normal "it's old, so it won't do everything the new version will" risk of using older hardware.
F**king IT is a joke. I've never been more ashamed of my industry than here we are 40 years later and this shit is still happening. Except now being limited to damage that could be done through a floppy or maybe over modem through the wonders of the Internet all this haphazardly created and maintained shit can be touched by anyone from anywhere in the world.
Brilliant!
Completely agree. I think WD has some culpability here if they new their legacy firmware was exploitable and didn't notify the consumer. How else would the consumer know to be wary? I'd recommend against espousing this point of view on 9to5mac. That will get you tossed out on the street.
I feel bad for these folks, but it appears that they were using their WD hard drives as their sole data repository. Rule number one of backups is to use a separate discrete device in case your primary device crashes.
Last winter the drives in my older iMacs started getting flaky. (That’s the second rule, if a drive acts up replace it before it fails completely.) I replaced them with SSDs, and then I had the choice of restoring from the old drive, TimeMachine backups, iCloud, or my off site storage disk. As it turned out I used a bit of all of them for different things.
If a product needs some kind of vendor software to fulfil its advertised use, then that should be maintained for the life of the product. There is little obligation to add new features but patching security vulnerabilities should be an obligation, along with fixing bricked or otherwise impacted out of warranty devices that suffer due to firmware upgrades etc.
There needs to be a huge change in mentality in this area and there's no doubt in my mind that a yearly upgrade cycle for major software is too fast to manage safely.
The computer industry is a dumpster fire. It’s not just bad products; it’s an utterly toxic culture of hypernormalization.
New legislation would likely only apply for purchases made after the date such legislation was enacted. In the case of software and hardware, the warranty generally explicitly defines support length. Most software and hardware warranties limit liability, state that if you disagree, your option is to return the item. Many say that disputes must be settled by arbitration (not in court), and that if you do not win the arbitration, you pay the cost of arbitration (including any costs incurred by the other party). End of life in software and hardware is generally defined on the manufacturer's website, and does not mean the length of time the device/software will actually run. I still see Win95 occasionally, and suspect there are some pre-WinTel PCs (Z80s and such), and pre-Intel Macs (Motorola 68000) still running, but neither has been supported for a long time.
Such legislation would potentially lead to similar legislation against car/truck manufacturers, car/truck parts manufacturers, appliance makers, financial products, food items...
It absolutely has to be controlled via legislation. Oversight, auditing, complaint resolution etc can be carried out by independent bodies.
As we move deeper and deeper into the digital data age, it is an absolute requirement that users know, prior to purchase, what they are buying.
My Samsung 'smart' TV was sold with a ton of features that were gradually switched off or broke over time. Often with a message that popped up once or twice when the device was switched on and never seen again. Firmware updates 'broke' things that worked previously. Interaction with other devices was supposed to work but the pointers to software that needed installing or for host devices didn't exist or wasn't compatible with host operating systems.
Product safety/security goes beyond the official warranty of the product itself. It should be maintained throughout the life of the device. In the digital data age security is relevant to our data and anything that has access to it should be maintained to prevent holes being exploited.
Cost is something the user and legislation will determine but when it is for security it should be built into the price.
There is zero good reason for the current yearly major upgrade cycle on mobile OS. We are seeing a lot of fluff being added anyway. Perhaps if development of major releases was slowed down a bit, quality and user security could be improved. It is only now that Apple is finally allowing users to sit on the existing OS and not literally pushing them via incessant nags to upgrade to the latest and greatest. It's a good move.
The only way to guarantee a level playing field is to legislate the whole support and security angle. It should include firmware upgrades that can be undone and the option to cleanly roll back to previous versions of the OS and applications.
There also needs to be far greater transparency towards government on flaws and knowns security issues but at the very least, consumers need to know what they are getting into (in terms of security support) prior to purchase not have that information 'hidden' in an EULA.
First of all, there are always new hardware features and functionality that have to be accommodated, and secondly, for those users that have a breadth of apple products, those interactions require keeping all devices up to date.
Example; Universal Control
As you state, a person has the option of not updating at all. For myself, I find it reasonable to hold off updating for something on the order of 3 or 4 days, since most of the bugs will be picked up by early adopters. Sucks to be them, but that's a choice.
That's also a bad idea. Apple could certainly rename and re-sign an update if it was as bad as I think that you imagine, and certainly has done that in the past, but in recent releases, the worst case is typically a few 10's of thousands effected by major bugs, out of a billion plus user base, and Apple's response has been within a few days.
Now regulators could argue for a staggered release, but how would that work, and how would you measure the success of each step, prior to updating the next groups?
I agree that Apple needs to do better on bugs, and I believe that they have, but with a user base as large as Apple's, bugs are still going to effect some people.