Western Digital Removed Code That Would Have Prevented Widespread Hard Drive Hacks

You may have heard several days ago that owners of certain Western Digital My Book external hard drives were hit with a remote exploit that deleted all their data. Alternatively, you may be the unlucky owner of a My Book Live and are still in mourning over the loss of your precious files. In either case, it looks like the cause of the reformat hack was not the 2018 vulnerability but was instead a zero-day exploit caused by sloppy development. However, this does not clear WD of wrongdoing. If anything, it’s even worse.
Last week, many owners of My Book Live hard drives awoke to find their devices had been reset. Unlike most external drives, the My Book Live doesn’t have a USB port. It’s intended to connect to your local network via an Ethernet cable so it can be accessed from all your other devices. However, it defaults to being available online at all times, and WD stopped supporting the My Book Live several years ago.
It’s true that if WD had not abandoned the My Book Live lineup, it might have spotted the problem before the hack. However, the initial supposition that the hack stemmed entirely from an unpatched 2018 flaw has been proven wrong. Ars Technica and security researcher Derek Abdine now say the mass hack comes from an unreported flaw in WD’s drive software. The software included an authentication check whenever the embedded reset command was triggered. However, for unknown reasons, it was disabled in the shipping software. All the attacker needed to know to blank the drives was how to format the XML request. The code, seen below, would have blocked the reformat, but the double slash at the beginning of each line indicates it was “commented out.”
function post($urlPath, $queryParams = null, $ouputFormat = ‘xml’) {// if(!authenticateAsOwner($queryParams))// {// header(“HTTP/1.0 401 Unauthorized”);// return;// }
So, that’s all pretty weird, but it gets even weirder. These drives are indeed vulnerable to CVE-2018-18472, the 2018 exploit Western Digital initially fingered as the cause. It claims that in at least some of the known hacks, the attackers used CVE-2018-18472 to gain access and then triggered the zero-day to format the drive. The 2018 flaw should have given the attacker root access, so it’s unclear why they also used the zero-day. Several hacked drives have been found to have malware designed for the drive’s PowerPC hardware. This makes the drives part of the Linux.Ngioweb botnet.
Dan Goodin from Ars has a theory about this, and it’s one with which I agree. Goodin speculates that the botnet installation and reset were carried out by different attackers. Perhaps the data deletion attack was an attempt by a rival to blow up their enemy’s botnet. It’s just a shame that regular users lost all their data by being caught in the middle. Regardless, Western Digital really screwed up by letting a device with two serious vulnerabilities sit in people’s homes all this time.
Continue reading

Western Digital Changes Its Reported Drive Speeds to Reflect Reality
Western Digital has launched new WD Red Plus models to correct previous communicated inaccuracies regarding the spindle speeds on its 8TB-14TB products in this family.

Epic’s New MetaHuman Creator Generates Digital Characters that Avoid the Uncanny Valley
The company's new MetaHuman engine promises to deliver photorealistic digital characters in a snap, and you can check out a demo right now.

Europe Plans 20,000 GPU Supercomputer to Create ‘Digital Twin’ of Earth
The plan to create a digital twin of Earth might end up delayed due to the relative lack of available GPUs, but this isn't going to be an overnight project.

Western Digital Caught Bait-and-Switching Customers With Slow SSDs
Western Digital is the latest company caught bait-and-switching its customers with lousy SSD speeds. In other news, Samsung and Intel don't appear to be trying to cheat customers this way, while Crucial and Adata apparently are.