WD asks users to unplug their My Book Live drives from the internet following mass data...

Humza

Posts: 867   +162
Staff member
A hot potato: Imagine the horror of waking up one day and discovering that your cloud-connected external backup drive has lost all data and factory reset itself. Unfortunately, that's exactly what's happened to an unknown number of WD My Book Live users whose drives have been wiped clean after being compromised by malicious software. Since the threat is still active, WD is advising owners to unplug their drives from the internet as it investigates the incident.

Update (June 30, 2021):

WD has posted recommended security measures for the My Book Live/Live Duo drives following user complaints of remote factory reset and data wipes. The company's investigation has discovered multiple vulnerabilities, including a command injection exploit that remotely let attackers run arbitrary code with root privileges on drives with remote access enabled. Some drives were also infected with a trojan binary, which has been sampled for further analysis.

The second vulnerability allowed for factory resetting the drive without authentication. Introduced as part of a firmware update in April 2011, WD says that a refactor of the authentication logic resulted in vulnerable code. Essentially, the user authentication check required for a factory reset had been disabled, followed by a failure to add the correct authentication type in the drives' config file.

"The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device." For affected customers, WD will begin offering data recovery services in July, alongside a trade-in program that will let users upgrade to a supported My Cloud drive.

WD My Book Live users are strongly advised to disconnect their drives from the internet following reports of widespread data wipes. The affected devices appear to be the consumer-focused NAS models - My Book Live and My Book Live Duo - that were apparently compromised by malicious software and remotely triggered to perform a factory reset.

As ArsTechnica notes, user complaints started pouring in on the WD's support forum, where some customers report being unable to access their WD Live accounts once the drive had been wiped clean. So far, none have managed to recover their lost data. One user also posted a log that showed a remote factory reset had taken place without their permission.

Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api

Although offline backups is one of the recommended strategies for keeping data safe, most users tend to buy these types of cloud-connected drives to store, backup and access their files across devices. Another user reported being unable to access their files via the iPhone app.

Tried to access some files via the iPhone app but got an error message saying “unable to connect”. Assumed it was just a Wi-Fi/network issue but when I tried to access the drive from my PC using a shortcut everything was gone except for (empty) default Public folders: Shared Music, Shared Pictures, Shared Videos and Software.

The time stamps on those folders say they were created at 00:16 (UK time) this morning.

There is also a .tickle file created at 00:17.

I can’t log into the UI on the device as it says my password is invalid.

The company says it is actively investigating the incident and found no indications of a breach or compromise of its cloud services or systems. "We have determined that some My Book Live devices have been compromised by a threat actor. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015."

Launched in 2011, WD dropped support for the My Book Live/Live Duo four years later. It's quite possible that the 'threat actor' exploited a vulnerability that remains unpatched to this day. Despite being discontinued in 2015, the drives can still be found for purchase online. Users looking for this type of external storage typically expect the hardware to fail first, however, compromised software can be equally damaging when it comes to cloud-connected drives.

Permalink to story.

 

Fearghast

Posts: 376   +285
WD certainly showcasing as to why no one buys their NAS enclosures.......
I am one of those "clever" ones who own one :D
It was cheap, the software and Cloud part of the NAS is incredibly crappy, so I have it disabled since the day one. Guess that saved me in this case.

It's never a good idea not to invest in decent NAS, if you have a bit more money to spare (Synology and Qnap are light years ahead compared to WD).
 

summermick

Posts: 89   +126
Never use bloatware comes with portable drives! I had two data loss incidents,which are both with WD, so far in my life. The recent one happened yesterday the fncking half assed WD software got me zero-byte files on my newly purchased 5TB my passport ultra!
 

VariableSpike

Posts: 59   +74
I am one of those "clever" ones who own one :D
It was cheap, the software and Cloud part of the NAS is incredibly crappy, so I have it disabled since the day one. Guess that saved me in this case.

It's never a good idea not to invest in decent NAS, if you have a bit more money to spare (Synology and Qnap are light years ahead compared to WD).
If you can though, building a NAS yourself always seems best though, especially with the increased ease of use with systems like Unraid and the increased functionality you get (running docker containers or VM's etc.). DSM/QTS are quite prone to being targeted by ransomware, and Synology / Qnap aren't always the best as doing timely security updates, though if all you want to do is just have some network storage that is plug and play, then I can't blame you, along with the fact that their enclosures definitely look nicer to the eye compared to a great big used server
 

Arbie

Posts: 272   +502
... the software and Cloud part of the NAS is incredibly crappy, so I have it disabled since the day one. ... if you have a bit more money to spare (Synology and Qnap are light years ahead ...

Agreed. I tried for a while to get by with a few Seagate NAS-connected drives, like these MyBooks. The software was amateurish and almost unsupported, and disconnects were a weekly if not daily occurrence. I finally got a proper small Synology rig, installed a couple of WD Red drives, and it's been absolutely trouble-free for years.

In this case, obviously, some unpatched hole in the jack-leg interface software is letting the sociopaths in. It's a good thing WD discontinued these things when they did.
 

arrowflash

Posts: 432   +466
My choice for backup is a homemade SSD in an external enclosure - connect, copy files, disconnect. Personally, I can't sand the commercial backup drives.

My setup for backups is very similar. It consists of several 2 TB Seagate Expansion portable hard drives. "Connect, copy files, disconnect", that's how I've always done it too.

I am planning on getting a 10+ TB NAS to make all my files more easily accessible, but no one should rely on online backups (by "online" in this case I mean storage that remains connected to the machine and network). Never rely on an online NAS as your sole backup solution.
 

arrowflash

Posts: 432   +466
By the way, not to sound like a condescending prick but I'm surprised to learn there are people among TS's audience that have actually used or use the software that comes bundled with any drive. The first thing I do when I receive a new drive is a clean reformat to remove all bloatware.
 

p51d007

Posts: 2,771   +2,086
This is why you always have a backup of your backup. (And keep it permanently unplugged from the net...)

This ^^^

I have hundreds of thousands of photos I've taken since I switched to digital photos in the 2000's. I have them backed up on an external drive, and TWO cloud storage places. Unless a nuke war
or EMP goes off, I should be ok.
 

Austinturner

Posts: 234   +264
I’m suspicious, how do you compromise these drives across the internet without compromising the cloud service. Secondly, most real compromises would be ransomware attacks, not a file wipe.
My guess is WD screwed up a server side change and didn’t test something with these old drives and drives behaved badly and wiped their own data.
 

Top S

Posts: 30   +20
This is why you always have a backup of your backup. (And keep it permanently unplugged from the net...)

On the contrary, I would suggest keeping a cloud copy after sorting out encryption etc. And it seems that another local copy of the backup doesn't help much since backups are already copies that can be recreated from the master data. When an event hit both the master and the backup, the third local copy might not survive either.
 

captaincranky

Posts: 16,980   +5,757
On the contrary, I would suggest keeping a cloud copy after sorting out encryption etc. And it seems that another local copy of the backup doesn't help much since backups are already copies that can be recreated from the master data. When an event hit both the master and the backup, the third local copy might not survive either.
Have you ever herd the term, "air gapped"?

Speaking of which, since Newegg has pretty much been dropping its pants on the price of the smaller Samsung EVO SATA 3 SSDs, (250 & 500 GB), I've collected enough to create C:/ backups for all my machines Their migration software transfers, with the OS still activated. All my personal data is backed up to machines not hooked to the web, and nothing is transferred to them, without a virus scan being done.

Plus, I'm too lazy to type in Wi-Fi passwords. In fact, I bought a Windows 10 8" tablet years ago, and still haven'y hooked it up to activate the OS
 
Last edited:

Top S

Posts: 30   +20
Have you ever herd the term, "air gapped"?

Speaking of which, since Newegg has pretty much been dropping its pants on the price of the smaller Samsung EVO SATA 3 SSDs, (250 & 500 GB), I've collected enough to create C:/ backups for all my machines Their migration software transfers, with the OS still activated. All my personal data is backed up to machines not hooked to the web, and nothing is transferred to them, without a virus scan being done.

Plus, I'm too lazy to type in Wi-Fi passwords. In fact, I bought a Windows 10 8" tablet years ago, and still haven'y hooked it up to activate the OS
Air gap only protects against network attacks. There are all kinds of other threats like theft, fire, etc. That's why one needs cloud.

Also backup devices/cloud tend to have different OSs and hardware than main machines so different vulnerablilites. Thus proper security settings shouldn't normally allow all to be 0-day attacked at the same time. And automated incremental backups with access controls give much more up-to-date backups without much efforts.

Air-gapped local copy might be a reasonable complement but due to staleness and low resilience to non-hacking events I don't think they are ideal as primary backups at all.
 
Last edited:

McMurdeR

Posts: 300   +293
I built a FreeNAS with redundancy a while ago. Its very good, but I don't have any cloud backup configured apart from my photos, so I consider it limited backup protection - it's more of a convenience to access files on any device on the network.

Fact is, any device that's permanently connected to the internet is a potential target. If it's not getting updates it's vulnerable.
 

captaincranky

Posts: 16,980   +5,757
Fact is, any device that's permanently connected to the internet is a potential target. If it's not getting updates it's vulnerable.
Considering all the reports of M$' Windows 10 updates bricking people's machines, I'd have to say you're much better off with a backup copy of your data stored on an air gapped XP machine, than on a networked Win 10 box.

And hey, if XP takes a dump, there's always a live run with Linux

To whom it may concern:
I know it was never >your< machine that got bricked by Windows 10 update, just those "other guys". ;)
 
Last edited:

Alfatawi Mendel

Posts: 108   +172
I bought one of the 5tb WD My Book Live drives, and 'shucked' it for extra storage. Am I right in thinking that I won't be affected, since I don't use any WD software?
 

p51d007

Posts: 2,771   +2,086
Print them

I still have tons of photos from my FILM days ;)
Nice thing though, it costs me nothing to print the digital ones. I've been in the print/copier/fax/network business for 40 year. Free access to anything from desktop to wide format.
 

GeforcerFX

Posts: 1,018   +482
Considering all the reports of M$' Windows 10 updates bricking people's machines, I'd have to say you're much better off with a backup copy of your data stored on an air gapped XP machine, than on a networked Win 10 box.

And hey, if XP takes a dump, there's always a live run with Linux

To whom it may concern:
I know it was never >your< machine that got bricked by Windows 10 update, just those "other guys". ;)
The only computers I have ever worked on that got F*cked by a Windows update (xp, vista, 7 or 10) were always pretty heavily screwed up underneath by something else before that update caused a problem. Not to say there haven't been bad updates here and there, but most people had the OS install running pretty badly before that update came in and expected a decent place to install.
 

captaincranky

Posts: 16,980   +5,757
The only computers I have ever worked on that got F*cked by a Windows update (xp, vista, 7 or 10) were always pretty heavily screwed up underneath by something else before that update caused a problem. Not to say there haven't been bad updates here and there, but most people had the OS install running pretty badly before that update came in and expected a decent place to install.
Perhaps so. But at least with XP, Vista, and Windows 7, you still had freewill not to apply the update, and now that's been taken away from us in its entirety.

So now, whatever bullsh!t M$ feels like inflicting on you, they will, without consent.

I'm still not on board with this external HDD nonsense. If you want a backup platform, even a "lowly XP box", as long as it's air gapped, is a far better solution. Hell, it could even be running Windows 95, as long as you scan whatever you put on it beforehand.
 
Last edited: