Western Digital’s My Book Live devices offer the ability to set up a storage pool on your network without the hassle or expense of a full-fledged NAS box. That might seem like just what you need, but Western Digital appears to have missed a major, show-stopping bug. According to Ars Technica, My Book Live owners around the world are reporting their devices have been purged of all data, and Western Digital is advising that everyone disconnect their drives from the internet for now.
WD stopped selling the My Book Live devices several years ago, which connect to your router via Ethernet rather than USB. The issue came to light in a WD community forum thread earlier this week. Usually, these threads have a smattering of affected individuals, with everyone else offering possible solutions. Here, almost every reply is someone else saying their data simply disappeared on June 23. Even those who managed to reset their device passwords and gain access to the drives found their files were long gone.
At first, everyone speculated that WD had pushed a bad firmware update, but the truth is even worse. Several users were able to pull logs from the device that showed a “factoryRestore.sh” script running on the afternoon of June 23. Because My Book Live enclosures utilize encryption, there’s probably no way to recover the deleted data.
WD has confirmed that its cloud infrastructure has not been compromised, but the “threat actor” didn’t need to do that. It turns out the My Book Live devices have an unpatched vulnerability, known as CVE-2018-18472. This is a type of severe exploit know as a Remote Command Execution bug. All someone needs is the IP address of the drive, and they can trigger a factory reset. Western Digital is recommending that the drives be disconnected from the internet until further notice.
Sadly, disconnecting the drives will only help those not already hit by the wave of remote access deletions. You could argue these people should have had backups, and leaving an unsupported device connected to the internet is a bad idea, but this is a consumer device. Most people don’t think about the security implications when devices like the My Book Live go out of support. It might be an older product, but WD really dropped the ball by letting this vulnerability remain unpatched on the My Book Live.
Russia Will ‘Unplug’ From Internet to Test Cyberdefenses, Censorship
The goal of the experiment is to provide feedback and gather insight on how the Russian national intranet would perform if severed from the main internet backbone.