'Malicious' Actor Is Wiping The Data Of Countless Western Digital My Book Users

from the past-its-expiration-date dept

Owners of the Western Digital popular My Book external hard drives aren’t having a particularly good week. The company is advising customers to stop using the devices for now after customers mysteriously found their data deleted. According to complaints over at the company’s website (first spotted by Bleeping Computer), many users say they woke up to find that the content of their external USB-connected storage drives had been completely wiped. Worse, they couldn’t log in to the device’s administrative systems to run any kind of diagnosis on the drives:

“I have a WD mybook live connected to my home LAN and worked fine for years. I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity.

The even strange thing is when I try to log into the control UI for diagnosis I was-only able to get to this landing page with an input box for ?owner password?. I have tried the default password ?admin? and also what I could set for it with no luck. There seems to be no change to retrieve or reset password on this landing page either.”

The problem appears to have begun at around 3PM on June 23, at which point these devices started receiving a remote command to perform a factory reset. This appears to still be happening on a staggered basis. The Western Digital announcement sent out to customers suggests that a malicious actor has found a way to compromise the devices, and is deleting data for their own amusement:

“Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers? data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.”

There’s been absolutely no indication given of when customers can expect a fix. Western Digital stopped supporting the My Book Live in 2015 for cost reasons, leaving millions of devices with dated firmware and vulnerabilities. According to user threads at the company’s website, some Western Digital MyDrive users who say they disabled all cloud functionality to protect themselves, say their data was wiped anyway. Since much of this data is encrypted, recovering it may prove to be a long shot, meaning that many users who thought they were being smart by backing up their essential files, will have likely lost everything permanently.

It’s not that hard for an everyday consumer — inundated with an endless sea of obligations — to miss the handful of notifications (if they even existed) that their devices are now neither supported nor secure. Given the millions of shitily-secured network routers and IOT devices that are being connected annually, the scope of the problem (and our collective apathy to it) really can’t be overstated. If you know somebody who uses this hardware for backups and storage, you might want to give them a nudge.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “'Malicious' Actor Is Wiping The Data Of Countless Western Digital My Book Users”

Subscribe: RSS Leave a comment
42 Comments
sumgai (profile) says:

Re: #1

As to 3 copies, let me amplify thusly:

Just about the first thing a PFY learns from the BOFH – Grandfather, Father, & Son. Not three copies of one thing, but three generations of copies of everything. Which means, three separate devices, rotating between them each backup period. For most users, once a week is probably enough. Highly critical data, once a day/night. I’ve even seen one case where it was twice daily! Applying that same scheme to differential backups (with a master copy) is also an acceptable practice.

I’m not so paranoid as to disconnect my laptop from the web when backing up, but I do remove the current generation device whenever I’m not backing up – I’ve made mistakes and set myself back (and wasted time recovering stuff) more than once, I don’t need internet clowns to help me on that score.

And if you attach a really high value to your data, optical media every so often is also de rigueur. Spinning rust can surprise you in an entirely unacceptable manner, trust me on that one.

This comment has been deemed insightful by the community.
mvario (profile) says:

2 things

Two notes… first, it’s the MyBook Live, the one that is network attached, not the regular MyBook that attaches directly to a computer.

Second, they were originally saying it was an old, fixed bug and people are SOL, but now it has been revealed that it is also a new 0-day.
https://www.bleepingcomputer.com/news/security/hackers-use-zero-day-to-mass-wipe-my-book-live-devices/

This comment has been deemed funny by the community.
That Anonymous Coward (profile) says:

Re: 2 things

"In the aptly named system_factory_restore script in the My Book Live’s firmware, the authentication checks were commented out, making it possible for anyone with access to the device to perform a factory reset."

No one would ever do this, so just comment out these lines so we get less support calls…

Anonymous Coward says:

Re: 2 things

Two notes… first, it’s the MyBook Live, the one that is network attached, not the regular MyBook that attaches directly to a computer.

So… if you buy a hard drive and connect it to your computer via an ethernet cable, you’re fucked, but if you connect via a USB cable, you’re okay. Do you think the buyers would have been aware of this distinction?

now it has been revealed that it is also a new 0-day.

"0-day" usually refers to a vulnerability, which this isn’t—the authentication check was deliberately removed so that anyone could run the "factory restore" without a password.

Kent says:

Cheap local storage is cheap!

I feel for everyone who lost their stuff, and perhaps I’m just naive, but with the seemingly ever shrinking cost of storage I have never been able to find a downside to backing up all of my stuff to an external drive that is intentionally only local, and never sees the internet. I assume that there are many, many cases in which this might not be practical, but speaking personally, not having my backup drive ever connected to a network is comforting.

This comment has been deemed insightful by the community.
Rekrul says:

Re: Re: Cheap local storage is cheap!

I’ve been lax (OK, lazy) about backing up the files on my external drives, but I burn stuff to data DVDs. I’ve heard all the arguments about bit-rot on burnable discs, but I still have CDRs I burned 20+ years ago that work 100% (I burn a checksum file to each disc). All the DVDs I’ve burned also work. Occasionally I get a bad burn that won’t verify, or a disc burned on a different system doesn’t want to read on my internal drive, but they always work on some drive.

People laugh and tell me that hard drives are so cheap that I should just be buying another drive to back the stuff up to. When they tell me this, I tell them about my 2TB Seagate drive that died almost exactly a year after a bought it. Or my 1TB Seagate drive that now refuses to read some of the files on it, even though Windows claims that it’s healthy.

Sure, I could buy multiple drives and make multiple copies, but the price of even old external drives never seems to drop below $80 or so and believe it or not, there are some people in the world who can’t afford to just drop $80-200 on tech that may just die on them and need to be replaced with another drive a few years down the road. Larger drives are cheaper. My friend had a 4TB drive that he loved, right up until it failed and took all his files with it.

Anonymous Coward says:

Re: Re: Re: Cheap local storage is cheap!

"When they tell me this, I tell them about my 2TB Seagate drive that died almost exactly a year after a bought it. "

You got it replaced under the warranty then, right?
Standard for consumer drives is 3 years with them for drive failures.

I use the Ironwolf ones with 5 year guarantees, just for additional security, and always mirror my backups to multiple physical drives so I still have copies while I’m getting a failed drive replaced.

Rekrul says:

Re: Re: Re:2 Cheap local storage is cheap!

No, actually I returned it to Costco and got my money back, then went and bought a Western Digital drive. My friend had a small Seagate external drive that failed, this Seagate failed after a year and my other Seagate now can’t read some files (but I have those backed up on another drive). I really didn’t want another Seagate drive.

It had a two year data recovery plan with it and I thought about sending it in, but I had saved some adult material to the drive. There was nothing blatantly illegal, but it’s not as if I had documentation of the ages of everyone in the videos and I’ve read horror stories about people getting charged with possession of child porn because they had images or videos where the girls just looked young. It probably would have been fine, but I didn’t want to take the chance.

This comment has been deemed insightful by the community.
Eldakka (profile) says:

Re: Cheap local storage is cheap!

I feel for everyone who lost their stuff, and perhaps I’m just naive, but with the seemingly ever shrinking cost of storage I have never been able to find a downside to backing up all of my stuff to an external drive that is intentionally only local, and never sees the internet.

The problem is this device was marketed at people who are technically literate enough to know about one or both:

1) that backups are good;
2) that they want to be able to remotely access, or share with others, their family photos etc.

But they aren’t technically literate enough to understand backups or exposing their stuff on the Internet. Ye Olde "A little knowledge is dangerous" situation.

Anonymous Coward says:

it may prove to be a long shot, meaning that many users who thought they were being smart by backing up their essential files, will have likely lost everything permanently.

If there was only a copy on the MyBook, it was not a backup, but the primary copy. Also, keep an offline copy of critical files, preferably off site.

sumgai (profile) says:

Re: Re: Re:

Oh, you’re speaking of ODSR – Off-Site Data Retention.

Certainly for a business, the previous quarter’s Master and G,F,S devices should be stored off-site, for a period of at least one year. For individuals, value of the data is a judgement call. My judgement has one value: how do I explain to the wife that I lost all of our kids pictures and grandkids videos, let alone our home business’s records. And that’s before I consider my personal media collection…. But YMMV.

Scary Devil Monastery (profile) says:

Re: Re: Helpful hacker says...

To be fair…

"The problem appears to have begun at around 3PM on June 23, at which point these devices started receiving a remote command to perform a factory reset."

…as a former Bastard Operator myself I have to say that part of me thinks buying devices able to factory reset at the behest of anyone with the magic skeleton key probably means the standard storage complaint solution of moving everything to /dev/null will fit the client’s needs eminently. The necessary lesson taught being "Stop using tech you can’t grok".

The other lesson about to be taught should be Western Digital having their ass creamed in court. What on earth possessed them to sell a storage device this badly secured?

Anonymous Coward says:

Western Digital stopped supporting the My Book Live in 2015 for cost reasons, leaving millions of devices with dated firmware and vulnerabilities.

Apple Insider reports that the drive was still on the market in 2014. A WD press release advertised a 3-year warranty. It would suck to buy a new product and have support dropped within a year. But to have it dropped while you still have 2 years of warranty left seems pretty close to fraud. (Which they were also recently accused of for their "Red" drives, intended for network-attached-storage devices; when caught, they said, oh yeah, we changed the meaning and didn’t tell anyone, and now "Red Plus" is what "Red" used to be.)

What’s the usual life of a hard drive anyway? I’ve got some 10-year-old ones still running, and I’m sure I could find 15- to 20-year-old drives in a closet. Hell, I booted up a 30-year-old PC a few years ago and its drive was fine. That WD thinks they can throw customers under the bus a year after they bought a product is yet another "fuck you" from them.

That Anonymous Coward (profile) says:

My sideways view of reality sees another option no one has considered.

What if the 0 Day was released by a grey hat hacker?

They tried to warn WD & got the standard corporate speak for not our problem.
So there is a large botnet all run on boxen that the maker refuses to help owners secure.
There is a battle between various groups trying to have the most boxen at their command.

The Botnets do horrible things and make the internet a worse place.
But I can send this command to the boxens that tell me they are a WD box & end the botnet permanently.
WD gets a well deserved black eye for creating something so insecure & not just putting out a warning the boxes can be compromised (this isn’t the first vuln they knew about) so take them off the net.

The fact they had the steps already programmed that would have made this much harder to pull off, and commented it out boggles the mind.

It’s not a nice thing to do but sometimes big problems need solutions that cause pain.

Something something sociopath…

That Anonymous Coward (profile) says:

Re: Re: Re:

Given the number of white hats who end up with the FBI banging on their door because they dared tell a company their security is shite & they are leaking information is way to high.

In my mind I can see someone reaching the point where s/he is frustrated with getting the WD blow off who just launches a script that ends the viability of the botnet.

Something something hacked citizens computers to fix their DNS settings… not like something has been done for their own good before.
Something something root kitted peoples computers leaving them with expensive paperweights… no charges.
Something something took down an online file sharing/storage service, allowed all the data to be destroyed, & screwed people who weren’t bad guys.

Everyone wants to pretend all the good guys only can wear white hats & all the bad guys have to wear black hats.
To a bunch of extorted people my hat is snow white, to a bunch of lawyers scared of what they imagine I might do, my hat is a black hole. In truth my hat is mostly grey like most peoples.

Sadly if the person behind it did it for our own good, its highly unlikely they will admit they did it.
People would be to angry to look at the evidence that might show WD had known about this, was warned about this, refused to make a patch to end the botnet, & strung the hacker along until nuclear seemed like the best option to stop it.

There always seems to be more to the story that gets missed…
The hacker might be a giant asshole or a giant savior… without full context how can one pass judgement?

That Anonymous Coward (profile) says:

Re: Re: Re:2 Re:

But the victims are on a spectrum.

How many had deleted data vs how many were harmed by the botnet running on the boxen?

What is the value of data vs bank details being gotten by the bots?

Loss of data is a bad thing but if you see people financially wiped out because WD refused to stop the insanity…

Its a trolley problem, scores of people could keep getting ripped off for yet more time… or a few lose data. Neither option is really "good", but when all you have is a trolley lever someone gets squished.

And one does wonder if WD was informed & is playing the poor us card because if the details of how simple it was to cause this cascade of wiping they might look bad for not pushing a notification to the users alerting them to the issue & remove the vulnerable botnet machines from networks.

Mental drift net recalls a hack where they patched peoples routers uninvited, left a note explaining why, and left them more secure than they found them.

While wiping the data is bad there is still detail missing from the full picture, was it every WD box he could find or just the ones who were actually in a botnet?
Had there been other attempts at trying to block the botnet from infecting the boxen?

S/He could just be a giant asshole, it happens…
But in my cold black heart I can see how being pushed into a corner where no one will listen, they let the bad things keep happening, & someone discovers the big red button that can end it and then they press it.

But then none of this could have happened if WD hadn’t commented out safety measures, if they had pushed a firmware to patch the product (showing they actually care about consumers even if they don’t buy the latest greatest thing) or made a large announcement that we no longer support these devices, if you have it connected to the internet you can & will be hacked. Pull the ethernet out immediately and run a scan looking for xxx botnet infection.
Figure out if just reinstalling the firmware will wipe out the botcode, and just be good citizens about it.

WD owns up to an actual problem, actually actively does something about it (even just information) would make for a HUGE story in the news cycle rather than ‘we take your data seriously….’

Scary Devil Monastery (profile) says:

Re: Re: Re:3 Re:

"But the victims are on a spectrum."

Not really, no. If you find that the only way you can keep Actor A from perpetrating grand larceny is to break into the houses of a dozen people and torch their TV set or whatever…then you still actively do harm.

The gray hat would publish the security flaw enabling the botnet to a few reputable security watchdog organizations and let it flow from there. The black hat leaks the discovery to organized crime and script kids.

"Its a trolley problem, scores of people could keep getting ripped off for yet more time… or a few lose data. Neither option is really "good", but when all you have is a trolley lever someone gets squished."

Well, yeah, but here’s the thing – this ain’t a trolley problem. This is the same broken logic people kept applying back in the GWB days when it came to torture and the advocacy for was always "There’s a bomb ticking somewhere so we have to act right now".

Judging from all we know right now WD’s sloppy work would impact…the people who have now been impacted. If this was a trolley problem then it’s one where the hypothetical gray hat sent the trolley down the track with the most people on it.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...