Western Digital Removed Code That Would Have Prevented Widespread Hard Drive Hacks
You may have heard several days ago that owners of certain Western Digital My Book external hard drives were hit with a remote exploit that deleted all their data. Alternatively, you may be the unlucky owner of a My Book Live and are still in mourning over the loss of your precious files. In either case, it looks like the cause of the reformat hack was not the 2018 vulnerability but was instead a zero-day exploit caused by sloppy development. However, this does not clear WD of wrongdoing. If anything, it’s even worse.
Last week, many owners of My Book Live hard drives awoke to find their devices had been reset. Unlike most external drives, the My Book Live doesn’t have a USB port. It’s intended to connect to your local network via an Ethernet cable so it can be accessed from all your other devices. However, it defaults to being available online at all times, and WD stopped supporting the My Book Live several years ago.
It’s true that if WD had not abandoned the My Book Live lineup, it might have spotted the problem before the hack. However, the initial supposition that the hack stemmed entirely from an unpatched 2018 flaw has been proven wrong. Ars Technica and security researcher Derek Abdine now say the mass hack comes from an unreported flaw in WD’s drive software. The software included an authentication check whenever the embedded reset command was triggered. However, for unknown reasons, it was disabled in the shipping software. All the attacker needed to know to blank the drives was how to format the XML request. The code, seen below, would have blocked the reformat, but the double slash at the beginning of each line indicates it was “commented out.”
function post($urlPath, $queryParams = null, $ouputFormat = ‘xml’) {// if(!authenticateAsOwner($queryParams))// {// header(“HTTP/1.0 401 Unauthorized”);// return;// }
So, that’s all pretty weird, but it gets even weirder. These drives are indeed vulnerable to CVE-2018-18472, the 2018 exploit Western Digital initially fingered as the cause. It claims that in at least some of the known hacks, the attackers used CVE-2018-18472 to gain access and then triggered the zero-day to format the drive. The 2018 flaw should have given the attacker root access, so it’s unclear why they also used the zero-day. Several hacked drives have been found to have malware designed for the drive’s PowerPC hardware. This makes the drives part of the Linux.Ngioweb botnet.
Dan Goodin from Ars has a theory about this, and it’s one with which I agree. Goodin speculates that the botnet installation and reset were carried out by different attackers. Perhaps the data deletion attack was an attempt by a rival to blow up their enemy’s botnet. It’s just a shame that regular users lost all their data by being caught in the middle. Regardless, Western Digital really screwed up by letting a device with two serious vulnerabilities sit in people’s homes all this time.
Continue reading
Someone Hacked Ray Tracing Into the SNES
Surely, a game console from the 90s couldn't support ray tracing, right? Wrong. Game developer and engineer Ben Carter hacked ray tracing into the Super NES with a little help from an FPGA dev board.
Apple Urges Immediate iPhone Update to Block Active Online Hacks
There's a new version of Apple's iOS software for iPhone and iPad devices, and as usual, Apple is going to start pestering users to update. This time, the nagging for iOS 14.4 comes with a little more urgency.
Signal Founder Hacks Cellebrite’s Phone Hacking Tools
The Israeli firm recently bragged that it has helped law enforcement retrieve data from the encrypted Signal chat app. Well, Signal founder Moxie Marlinspike had something to say about that.
New ‘Morpheus’ CPU Design Defeats Hundreds of Hackers in DARPA Tests
A new CPU design has won accolades for defeating the hacking efforts of nearly 600 experts during a DARPA challenge. Its approach could help us close side-channel vulnerabilities in the future.