'Malicious' Actor Is Wiping The Data Of Countless Western Digital My Book Users
from the past-its-expiration-date dept
Owners of the Western Digital popular My Book external hard drives aren't having a particularly good week. The company is advising customers to stop using the devices for now after customers mysteriously found their data deleted. According to complaints over at the company's website (first spotted by Bleeping Computer), many users say they woke up to find that the content of their external USB-connected storage drives had been completely wiped. Worse, they couldn't log in to the device's administrative systems to run any kind of diagnosis on the drives:
"I have a WD mybook live connected to my home LAN and worked fine for years. I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity.
The even strange thing is when I try to log into the control UI for diagnosis I was-only able to get to this landing page with an input box for “owner password”. I have tried the default password “admin” and also what I could set for it with no luck. There seems to be no change to retrieve or reset password on this landing page either."
The problem appears to have begun at around 3PM on June 23, at which point these devices started receiving a remote command to perform a factory reset. This appears to still be happening on a staggered basis. The Western Digital announcement sent out to customers suggests that a malicious actor has found a way to compromise the devices, and is deleting data for their own amusement:
"Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available."
There's been absolutely no indication given of when customers can expect a fix. Western Digital stopped supporting the My Book Live in 2015 for cost reasons, leaving millions of devices with dated firmware and vulnerabilities. According to user threads at the company's website, some Western Digital MyDrive users who say they disabled all cloud functionality to protect themselves, say their data was wiped anyway. Since much of this data is encrypted, recovering it may prove to be a long shot, meaning that many users who thought they were being smart by backing up their essential files, will have likely lost everything permanently.
It's not that hard for an everyday consumer -- inundated with an endless sea of obligations -- to miss the handful of notifications (if they even existed) that their devices are now neither supported nor secure. Given the millions of shitily-secured network routers and IOT devices that are being connected annually, the scope of the problem (and our collective apathy to it) really can't be overstated. If you know somebody who uses this hardware for backups and storage, you might want to give them a nudge.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, external hard drive, malicious actors, mybook, ownership
Reader Comments
Subscribe: RSS
View by: Time | Thread
#1
NEVER depend on tech.
If you want to be careful, 3 Copies and at least 1 NOT on the computer and NOT on the net.
Part of the failure is that WD stopped supporting the device in 2015. They still worked, so many kept it up, but DIDNT turn off updates.
[ link to this | view in chronology ]
Re: #1
As to 3 copies, let me amplify thusly:
Just about the first thing a PFY learns from the BOFH - Grandfather, Father, & Son. Not three copies of one thing, but three generations of copies of everything. Which means, three separate devices, rotating between them each backup period. For most users, once a week is probably enough. Highly critical data, once a day/night. I've even seen one case where it was twice daily! Applying that same scheme to differential backups (with a master copy) is also an acceptable practice.
I'm not so paranoid as to disconnect my laptop from the web when backing up, but I do remove the current generation device whenever I'm not backing up - I've made mistakes and set myself back (and wasted time recovering stuff) more than once, I don't need internet clowns to help me on that score.
And if you attach a really high value to your data, optical media every so often is also de rigueur. Spinning rust can surprise you in an entirely unacceptable manner, trust me on that one.
[ link to this | view in chronology ]
2 things
Two notes... first, it's the MyBook Live, the one that is network attached, not the regular MyBook that attaches directly to a computer.
Second, they were originally saying it was an old, fixed bug and people are SOL, but now it has been revealed that it is also a new 0-day.
https://www.bleepingcomputer.com/news/security/hackers-use-zero-day-to-mass-wipe-my-book-live-devic es/
[ link to this | view in chronology ]
Re: 2 things
"In the aptly named system_factory_restore script in the My Book Live's firmware, the authentication checks were commented out, making it possible for anyone with access to the device to perform a factory reset."
No one would ever do this, so just comment out these lines so we get less support calls...
[ link to this | view in chronology ]
Re: Re: 2 things
Y'all are laughing but deep down you know the sad truth...
This was exactly the discussion.
[ link to this | view in chronology ]
Re: Re: Re: 2 things
Or, more likely, some programmer commented them out while testing changes to the code, and forgot to reverse that when they had finished.
[ link to this | view in chronology ]
Re: Re: Re: Re: 2 things
stares
You have faith in a corporation not making decisions to save fraction of cents???
STARES
Has anyone talked to you about Santa Claus, The Easter Bunny, Jeebus?
This might be hard for you to hear, but you're old enough now to not believe in fairy tales.
[ link to this | view in chronology ]
Re: 2 things
So... if you buy a hard drive and connect it to your computer via an ethernet cable, you're fucked, but if you connect via a USB cable, you're okay. Do you think the buyers would have been aware of this distinction?
"0-day" usually refers to a vulnerability, which this isn't—the authentication check was deliberately removed so that anyone could run the "factory restore" without a password.
[ link to this | view in chronology ]
Cheap local storage is cheap!
I feel for everyone who lost their stuff, and perhaps I'm just naive, but with the seemingly ever shrinking cost of storage I have never been able to find a downside to backing up all of my stuff to an external drive that is intentionally only local, and never sees the internet. I assume that there are many, many cases in which this might not be practical, but speaking personally, not having my backup drive ever connected to a network is comforting.
[ link to this | view in chronology ]
Re: Cheap local storage is cheap!
Drive, heck! All you need is the storage medium.
For instance, I still have the 50 5.25" floppies I backed up my first 10MB hard disk onto...
[ link to this | view in chronology ]
Re: Re: Cheap local storage is cheap!
I've been lax (OK, lazy) about backing up the files on my external drives, but I burn stuff to data DVDs. I've heard all the arguments about bit-rot on burnable discs, but I still have CDRs I burned 20+ years ago that work 100% (I burn a checksum file to each disc). All the DVDs I've burned also work. Occasionally I get a bad burn that won't verify, or a disc burned on a different system doesn't want to read on my internal drive, but they always work on some drive.
People laugh and tell me that hard drives are so cheap that I should just be buying another drive to back the stuff up to. When they tell me this, I tell them about my 2TB Seagate drive that died almost exactly a year after a bought it. Or my 1TB Seagate drive that now refuses to read some of the files on it, even though Windows claims that it's healthy.
Sure, I could buy multiple drives and make multiple copies, but the price of even old external drives never seems to drop below $80 or so and believe it or not, there are some people in the world who can't afford to just drop $80-200 on tech that may just die on them and need to be replaced with another drive a few years down the road. Larger drives are cheaper. My friend had a 4TB drive that he loved, right up until it failed and took all his files with it.
[ link to this | view in chronology ]
Re: Re: Re: Cheap local storage is cheap!
"When they tell me this, I tell them about my 2TB Seagate drive that died almost exactly a year after a bought it. "
You got it replaced under the warranty then, right?
Standard for consumer drives is 3 years with them for drive failures.
I use the Ironwolf ones with 5 year guarantees, just for additional security, and always mirror my backups to multiple physical drives so I still have copies while I'm getting a failed drive replaced.
[ link to this | view in chronology ]
Re: Re: Re: Re: Cheap local storage is cheap!
Warranties don't cover the lost data -- which is generally much more valuable to the user, than the drive itself ever was. (Hint: That's precisely why they bought the back-up drive in the first place.)
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Cheap local storage is cheap!
And where this resulted in data loss, they were not using it as a backup drive, but rather their primary and only archive.
[ link to this | view in chronology ]
Re: Re: Re: Re: Cheap local storage is cheap!
No, actually I returned it to Costco and got my money back, then went and bought a Western Digital drive. My friend had a small Seagate external drive that failed, this Seagate failed after a year and my other Seagate now can't read some files (but I have those backed up on another drive). I really didn't want another Seagate drive.
It had a two year data recovery plan with it and I thought about sending it in, but I had saved some adult material to the drive. There was nothing blatantly illegal, but it's not as if I had documentation of the ages of everyone in the videos and I've read horror stories about people getting charged with possession of child porn because they had images or videos where the girls just looked young. It probably would have been fine, but I didn't want to take the chance.
[ link to this | view in chronology ]
Re: Re: Cheap local storage is cheap!
I remember a friend's dad when I was a kid had a wardrobe full of VHS tapes containing backups. Each tape could hold 10 CDs' worth of data, and they were cheaper too.
[ link to this | view in chronology ]
Re: Cheap local storage is cheap!
The problem is this device was marketed at people who are technically literate enough to know about one or both:
1) that backups are good;
2) that they want to be able to remotely access, or share with others, their family photos etc.
But they aren't technically literate enough to understand backups or exposing their stuff on the Internet. Ye Olde "A little knowledge is dangerous" situation.
[ link to this | view in chronology ]
Re: Re: Cheap local storage is cheap!
Indeed, it's an ever-growing problem.
[ link to this | view in chronology ]
Re: Re: Re: Cheap local storage is cheap!
:^)
[ link to this | view in chronology ]
Re: Re: Cheap local storage is cheap!
They also do not realize that a backup should be one of several copies of a file, and having the only copy on a 'backup' drive is not a backup.
[ link to this | view in chronology ]
Re: Re: Re: Cheap local storage is cheap!
Also getting some kind of "Cloud-synched" backup drive, it's all too easy to lose "both" copies to a single issue. You need an offline copy to truly have a "Backup" in that case.
[ link to this | view in chronology ]
Re: Re: Re: Cheap local storage is cheap!
Right, or phrased another way "they aren't technically literate enough to understand backups". ;)
[ link to this | view in chronology ]
Malicious Actor?
Like Scott Baio or Ricky Schroder?
Or they just bad actors and horrible people?
[ link to this | view in chronology ]
Re: Malicious Actor?
Perhaps you mean Bojana Novakovic, Molly Ringwald or Laura Antonelli ?
[ link to this | view in chronology ]
Re: Re: Malicious Actor?
No that asshole they cut out of Home Alone 2 I think.
[ link to this | view in chronology ]
If there was only a copy on the MyBook, it was not a backup, but the primary copy. Also, keep an offline copy of critical files, preferably off site.
[ link to this | view in chronology ]
Re:
Yeah, you can have all the backups in the world and it makes no difference if they're all in the same office when it burns down.
[ link to this | view in chronology ]
Re: Re:
Oh, you're speaking of ODSR - Off-Site Data Retention.
Certainly for a business, the previous quarter's Master and G,F,S devices should be stored off-site, for a period of at least one year. For individuals, value of the data is a judgement call. My judgement has one value: how do I explain to the wife that I lost all of our kids pictures and grandkids videos, let alone our home business's records. And that's before I consider my personal media collection.... But YMMV.
[ link to this | view in chronology ]
Re: Re: Re:
Dammit! OSDR, not ODSR. I wonder if that latest batch of meds are what they're all cracked up to be.....
[ link to this | view in chronology ]
Helpful hacker says...
"Previously the 2T volume was almost full but now it shows full capacity. "
"No charge for cleaning out that crap you never use anyway. Now, you have 2T of possibilities!"
[ link to this | view in chronology ]
Re: Helpful hacker says...
Ahh yes, the BOFH solution to complaints about running out of storage.
[ link to this | view in chronology ]
Re: Re: Helpful hacker says...
To be fair...
"The problem appears to have begun at around 3PM on June 23, at which point these devices started receiving a remote command to perform a factory reset."
...as a former Bastard Operator myself I have to say that part of me thinks buying devices able to factory reset at the behest of anyone with the magic skeleton key probably means the standard storage complaint solution of moving everything to /dev/null will fit the client's needs eminently. The necessary lesson taught being "Stop using tech you can't grok".
The other lesson about to be taught should be Western Digital having their ass creamed in court. What on earth possessed them to sell a storage device this badly secured?
[ link to this | view in chronology ]
Apple Insider reports that the drive was still on the market in 2014. A WD press release advertised a 3-year warranty. It would suck to buy a new product and have support dropped within a year. But to have it dropped while you still have 2 years of warranty left seems pretty close to fraud. (Which they were also recently accused of for their "Red" drives, intended for network-attached-storage devices; when caught, they said, oh yeah, we changed the meaning and didn't tell anyone, and now "Red Plus" is what "Red" used to be.)
What's the usual life of a hard drive anyway? I've got some 10-year-old ones still running, and I'm sure I could find 15- to 20-year-old drives in a closet. Hell, I booted up a 30-year-old PC a few years ago and its drive was fine. That WD thinks they can throw customers under the bus a year after they bought a product is yet another "fuck you" from them.
[ link to this | view in chronology ]
My sideways view of reality sees another option no one has considered.
What if the 0 Day was released by a grey hat hacker?
They tried to warn WD & got the standard corporate speak for not our problem.
So there is a large botnet all run on boxen that the maker refuses to help owners secure.
There is a battle between various groups trying to have the most boxen at their command.
The Botnets do horrible things and make the internet a worse place.
But I can send this command to the boxens that tell me they are a WD box & end the botnet permanently.
WD gets a well deserved black eye for creating something so insecure & not just putting out a warning the boxes can be compromised (this isn't the first vuln they knew about) so take them off the net.
The fact they had the steps already programmed that would have made this much harder to pull off, and commented it out boggles the mind.
It's not a nice thing to do but sometimes big problems need solutions that cause pain.
Something something sociopath...
[ link to this | view in chronology ]
Re:
"What if the 0 Day was released by a grey hat hacker?"
If the 0-day was released on a security forum then fine. Otherwise that "grey hat" is a very dark shade of grey indeed.
[ link to this | view in chronology ]
Re: Re:
Given the number of white hats who end up with the FBI banging on their door because they dared tell a company their security is shite & they are leaking information is way to high.
In my mind I can see someone reaching the point where s/he is frustrated with getting the WD blow off who just launches a script that ends the viability of the botnet.
Something something hacked citizens computers to fix their DNS settings... not like something has been done for their own good before.
Something something root kitted peoples computers leaving them with expensive paperweights... no charges.
Something something took down an online file sharing/storage service, allowed all the data to be destroyed, & screwed people who weren't bad guys.
Everyone wants to pretend all the good guys only can wear white hats & all the bad guys have to wear black hats.
To a bunch of extorted people my hat is snow white, to a bunch of lawyers scared of what they imagine I might do, my hat is a black hole. In truth my hat is mostly grey like most peoples.
Sadly if the person behind it did it for our own good, its highly unlikely they will admit they did it.
People would be to angry to look at the evidence that might show WD had known about this, was warned about this, refused to make a patch to end the botnet, & strung the hacker along until nuclear seemed like the best option to stop it.
There always seems to be more to the story that gets missed...
The hacker might be a giant asshole or a giant savior... without full context how can one pass judgement?
[ link to this | view in chronology ]
Re: Re: Re:
"The hacker might be a giant asshole or a giant savior... without full context how can one pass judgement?"
I'll spot you a hint - the gray hat skirts law, not people. Once your actions stop being victimless the lighter shades drain right out of that hat of yours.
[ link to this | view in chronology ]
Re: Re: Re: Re:
But the victims are on a spectrum.
How many had deleted data vs how many were harmed by the botnet running on the boxen?
What is the value of data vs bank details being gotten by the bots?
Loss of data is a bad thing but if you see people financially wiped out because WD refused to stop the insanity...
Its a trolley problem, scores of people could keep getting ripped off for yet more time... or a few lose data. Neither option is really "good", but when all you have is a trolley lever someone gets squished.
And one does wonder if WD was informed & is playing the poor us card because if the details of how simple it was to cause this cascade of wiping they might look bad for not pushing a notification to the users alerting them to the issue & remove the vulnerable botnet machines from networks.
Mental drift net recalls a hack where they patched peoples routers uninvited, left a note explaining why, and left them more secure than they found them.
While wiping the data is bad there is still detail missing from the full picture, was it every WD box he could find or just the ones who were actually in a botnet?
Had there been other attempts at trying to block the botnet from infecting the boxen?
S/He could just be a giant asshole, it happens...
But in my cold black heart I can see how being pushed into a corner where no one will listen, they let the bad things keep happening, & someone discovers the big red button that can end it and then they press it.
But then none of this could have happened if WD hadn't commented out safety measures, if they had pushed a firmware to patch the product (showing they actually care about consumers even if they don't buy the latest greatest thing) or made a large announcement that we no longer support these devices, if you have it connected to the internet you can & will be hacked. Pull the ethernet out immediately and run a scan looking for xxx botnet infection.
Figure out if just reinstalling the firmware will wipe out the botcode, and just be good citizens about it.
WD owns up to an actual problem, actually actively does something about it (even just information) would make for a HUGE story in the news cycle rather than 'we take your data seriously....'
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
"But the victims are on a spectrum."
Not really, no. If you find that the only way you can keep Actor A from perpetrating grand larceny is to break into the houses of a dozen people and torch their TV set or whatever...then you still actively do harm.
The gray hat would publish the security flaw enabling the botnet to a few reputable security watchdog organizations and let it flow from there. The black hat leaks the discovery to organized crime and script kids.
"Its a trolley problem, scores of people could keep getting ripped off for yet more time... or a few lose data. Neither option is really "good", but when all you have is a trolley lever someone gets squished."
Well, yeah, but here's the thing - this ain't a trolley problem. This is the same broken logic people kept applying back in the GWB days when it came to torture and the advocacy for was always "There's a bomb ticking somewhere so we have to act right now".
Judging from all we know right now WD's sloppy work would impact...the people who have now been impacted. If this was a trolley problem then it's one where the hypothetical gray hat sent the trolley down the track with the most people on it.
[ link to this | view in chronology ]
I don't understand why any consumer device should be even be capable of receiving remote commands for factory reset. It's just infinitely more secure to have a little button on the back.
[ link to this | view in chronology ]
Re:
Adding the little button on the back might add five whole cents to the retail price of the device. In the consumer market, that could well be the kiss of death for the product.
[ link to this | view in chronology ]
Re:
(turns to the crowd and whispers)
No one tell this AC about the systems for critical infrastructure & their flaws.
[ link to this | view in chronology ]