The mass wiping of Western Digital My Book Live storage devices may have been caused by a pair of vulnerabilities, and a leading theory suggests that it was fallout from rival hacking groups working against each other.
July 23's remote wiping of WD's My Book Live lineup had customers discovering deletion of files and backups, with the network storage appliance factory reset. While it was attributed to a malware attack of a vulnerability, analysis of the event suggests multiple elements were at play, including multiple vulnerabilities.
Security researchers discovered one vulnerability in the system factory restore file, where a PHP script performs a reset to default configurations and wipes data. While the feature typically would require a user password as authentication, the lines of code for the script were commented out, making them inoperable.
"The vendor commenting out the authentication in the system restore endpoint really doesn't make things look good for them," said Rumble CEO and security expert HD Moore to Ars Technica. "It's like they intentionally enabled the bypass."
The vulnerability was the second exploit attributed to the event, but was discovered only five days after the wiping took place.
The first vulnerability attributed to the wipes by WD itself was an exploit that was discovered in late 2018. However, since WD had stopped support for the My Book Live three years before the exploit's discovery, it was never fixed.
There is no clear explanation for the mass-wipes, and confusion reigns about why two different exploits were used when only the 2018 discovery was needed for root access. However, a theory has emerged that it could be due to there being two parties at work, not one.
Based on logs from affected devices, security firm Censys CTO Derek Abdine proposed that one hacker used the 2018 exploit to take control of the devices. That attacker modified a file for language configuration to prevent anyone else from exploiting the same vulnerability without a password, effectively preventing other hackers from gaining control via the same method.
Some devices analyzed by WD were infected with malware that enabled them to be used as part of a botnet, which lends credence to this theory.
The use of the other exploit is most likely another attacker, potentially a rival botnet operator, attempting to either take control of the exploited hardware for their own botnet, or making the storage devices useless for their competitor.
WD continues to advise users of the My Book Live range to disconnect the hardware from the internet as a precautionary measure. A fix appears unlikely, and requests by AppleInsider for comment regarding the matter have been ignored.
Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too. If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
4 Comments
Like I said on my comment in the other article, I think WD has some culpability here because they continued to offer the remote access service. Any company that allows remote access has a responsibility to respond to new known threats. If they truly we’re going to end security updates, then they should have disabled remote access. Getting out the popcorn and waiting for the lawsuits.
Yes, this does seem egregious on part of Western Digital. This was not an enterprise class device. Most of the people using it were not talented techies but everyday people wanting the simplest possible network file access. WD should have had a responsibility to protect their customers if the product was still able to be able to be used on the internet. This is one of the largest hard drive companies in the world after all, they certainly had the resources to do so.
There should be a law that requires security updates for old equipment for say 10 years. There is zero reason this can't be done inexpensively, basically everything along these lines is Linux so a single package update, test and push is not hard at all.
Totally agree with the other commenters. If they were supporting the remote access then they were supporting the devices and should have been providing security updates. If they knew about the vulnerable for 3 years and did or said nothing they are even more culpable.