Time to Unplug: WD My Book Live Hard Drives Hit With Data Deletion Exploit
Western Digital’s My Book Live devices offer the ability to set up a storage pool on your network without the hassle or expense of a full-fledged NAS box. That might seem like just what you need, but Western Digital appears to have missed a major, show-stopping bug. According to Ars Technica, My Book Live owners around the world are reporting their devices have been purged of all data, and Western Digital is advising that everyone disconnect their drives from the internet for now.
WD stopped selling the My Book Live devices several years ago, which connect to your router via Ethernet rather than USB. The issue came to light in a WD community forum thread earlier this week. Usually, these threads have a smattering of affected individuals, with everyone else offering possible solutions. Here, almost every reply is someone else saying their data simply disappeared on June 23. Even those who managed to reset their device passwords and gain access to the drives found their files were long gone.
At first, everyone speculated that WD had pushed a bad firmware update, but the truth is even worse. Several users were able to pull logs from the device that showed a “factoryRestore.sh” script running on the afternoon of June 23. Because My Book Live enclosures utilize encryption, there’s probably no way to recover the deleted data.
WD has confirmed that its cloud infrastructure has not been compromised, but the “threat actor” didn’t need to do that. It turns out the My Book Live devices have an unpatched vulnerability, known as CVE-2018-18472. This is a type of severe exploit know as a Remote Command Execution bug. All someone needs is the IP address of the drive, and they can trigger a factory reset. Western Digital is recommending that the drives be disconnected from the internet until further notice.
Sadly, disconnecting the drives will only help those not already hit by the wave of remote access deletions. You could argue these people should have had backups, and leaving an unsupported device connected to the internet is a bad idea, but this is a consumer device. Most people don’t think about the security implications when devices like the My Book Live go out of support. It might be an older product, but WD really dropped the ball by letting this vulnerability remain unpatched on the My Book Live.
Continue reading
Chromebooks Gain Market Share as Education Goes Online
Chromebook sales have exploded in the pandemic, with sales up 90 percent and future growth expected. This poses some challenges to companies like Microsoft.
AMD Smashes Revenue Records as Zen 3, Xbox Series X, PS5 Ramp Up
AMD's Q3 2020 results are in, and the results are excellent for the company, in every particular.
RISC-V Tiptoes Towards Mainstream With SiFive Dev Board, High-Performance CPU
RISC V continues to make inroads across the market, this time with a cheaper and more fully-featured test motherboard.
Xbox Series X Review: The Living Room Gaming PC I’ve (Mostly) Always Wanted
The Xbox Series X launches in five days, and we're clear to talk about it. I've never done a console review before, so I went into this from the perspective of what I'm used to — PC gaming. Microsoft objectively has a lot to be proud of, here.