Posts: 1,026 +171
A hot potato: Imagine the horror of waking up one day and discovering that your cloud-connected external backup drive has lost all data and factory reset itself. Unfortunately, that's exactly what's happened to an unknown number of WD My Book Live users whose drives have been wiped clean after being compromised by malicious software. Since the threat is still active, WD is advising owners to unplug their drives from the internet as it investigates the incident.
Update (June 30, 2021):
WD has posted recommended security measures for the My Book Live/Live Duo drives following user complaints of remote factory reset and data wipes. The company's investigation has discovered multiple vulnerabilities, including a command injection exploit that remotely let attackers run arbitrary code with root privileges on drives with remote access enabled. Some drives were also infected with a trojan binary, which has been sampled for further analysis.
The second vulnerability allowed for factory resetting the drive without authentication. Introduced as part of a firmware update in April 2011, WD says that a refactor of the authentication logic resulted in vulnerable code. Essentially, the user authentication check required for a factory reset had been disabled, followed by a failure to add the correct authentication type in the drives' config file.
"The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device." For affected customers, WD will begin offering data recovery services in July, alongside a trade-in program that will let users upgrade to a supported My Cloud drive.
The original story follows below:
WD My Book Live users are strongly advised to disconnect their drives from the internet following reports of widespread data wipes. The affected devices appear to be the consumer-focused NAS models - My Book Live and My Book Live Duo - that were apparently compromised by malicious software and remotely triggered to perform a factory reset.
As ArsTechnica notes, user complaints started pouring in on the WD's support forum, where some customers report being unable to access their WD Live accounts once the drive had been wiped clean. So far, none have managed to recover their lost data. One user also posted a log that showed a remote factory reset had taken place without their permission.
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
Although offline backups is one of the recommended strategies for keeping data safe, most users tend to buy these types of cloud-connected drives to store, backup and access their files across devices. Another user reported being unable to access their files via the iPhone app.
Tried to access some files via the iPhone app but got an error message saying “unable to connect”. Assumed it was just a Wi-Fi/network issue but when I tried to access the drive from my PC using a shortcut everything was gone except for (empty) default Public folders: Shared Music, Shared Pictures, Shared Videos and Software.
The time stamps on those folders say they were created at 00:16 (UK time) this morning.
There is also a .tickle file created at 00:17.
I can’t log into the UI on the device as it says my password is invalid.
The company says it is actively investigating the incident and found no indications of a breach or compromise of its cloud services or systems. "We have determined that some My Book Live devices have been compromised by a threat actor. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015."
Launched in 2011, WD dropped support for the My Book Live/Live Duo four years later. It's quite possible that the 'threat actor' exploited a vulnerability that remains unpatched to this day. Despite being discontinued in 2015, the drives can still be found for purchase online. Users looking for this type of external storage typically expect the hardware to fail first, however, compromised software can be equally damaging when it comes to cloud-connected drives.