Western Digital Removed Code That Would Have Prevented Widespread Hard Drive Hacks
You may have heard several days ago that owners of certain Western Digital My Book external hard drives were hit with a remote exploit that deleted all their data. Alternatively, you may be the unlucky owner of a My Book Live and are still in mourning over the loss of your precious files. In either case, it looks like the cause of the reformat hack was not the 2018 vulnerability but was instead a zero-day exploit caused by sloppy development. However, this does not clear WD of wrongdoing. If anything, it’s even worse.
Last week, many owners of My Book Live hard drives awoke to find their devices had been reset. Unlike most external drives, the My Book Live doesn’t have a USB port. It’s intended to connect to your local network via an Ethernet cable so it can be accessed from all your other devices. However, it defaults to being available online at all times, and WD stopped supporting the My Book Live several years ago.
It’s true that if WD had not abandoned the My Book Live lineup, it might have spotted the problem before the hack. However, the initial supposition that the hack stemmed entirely from an unpatched 2018 flaw has been proven wrong. Ars Technica and security researcher Derek Abdine now say the mass hack comes from an unreported flaw in WD’s drive software. The software included an authentication check whenever the embedded reset command was triggered. However, for unknown reasons, it was disabled in the shipping software. All the attacker needed to know to blank the drives was how to format the XML request. The code, seen below, would have blocked the reformat, but the double slash at the beginning of each line indicates it was “commented out.”
function post($urlPath, $queryParams = null, $ouputFormat = ‘xml’) {// if(!authenticateAsOwner($queryParams))// {// header(“HTTP/1.0 401 Unauthorized”);// return;// }
So, that’s all pretty weird, but it gets even weirder. These drives are indeed vulnerable to CVE-2018-18472, the 2018 exploit Western Digital initially fingered as the cause. It claims that in at least some of the known hacks, the attackers used CVE-2018-18472 to gain access and then triggered the zero-day to format the drive. The 2018 flaw should have given the attacker root access, so it’s unclear why they also used the zero-day. Several hacked drives have been found to have malware designed for the drive’s PowerPC hardware. This makes the drives part of the Linux.Ngioweb botnet.
Dan Goodin from Ars has a theory about this, and it’s one with which I agree. Goodin speculates that the botnet installation and reset were carried out by different attackers. Perhaps the data deletion attack was an attempt by a rival to blow up their enemy’s botnet. It’s just a shame that regular users lost all their data by being caught in the middle. Regardless, Western Digital really screwed up by letting a device with two serious vulnerabilities sit in people’s homes all this time.
Continue reading
Microsoft Would Like You to Stop Downloading Leaked Windows 11
Microsoft would appreciate it if folks would stop downloading an early copy of Windows 11 in favor of letting them show it off first.
The Games We Played and Would (Mostly) Recommend in 2021
As 2021 draws to a close, here's what the wfoojjaec staff have been playing for fun. If you need game recommendations, you're welcome to pull from our own lists.
Would Removing the Buffalo Mass Murder Stream Be Illegal Under New Texas Law?
Because today’s mass murderers don’t “just” mass murder, they also have to livestream the incident for the world to see.
Got a Well-Adjusted Cat? Scientists Would Like to Hear From You
If you’re looking for an excuse to rave about Fluffy, this might be your chance. Scientists want to talk to cat owners about