‘It is unlikely at this point that any internet-connected My Book Live has not been exploited, ‘wrote internet security specialist Cenys, referring to the more than 50,000 Western Digital My Book Live/My Book Live Due external hard disk drives stripped of all data over the last week in June.
Reports emerged on June 24 that My Book Live owners’ data was being wiped clean, with a remote factory reset apparently the cause.
Cenys did a deep dive into the causes of the mass hijacking of the drives,and found that the initial vulnerability was due to sloppy code writing. This was picked up back in 20118 by internet security consultants WizCase, but WD chose not to issue a patch because it had ended software support for the the drives in 2015.
‘We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device,’ WD responded to the WizCase research.
(The WizCase report claimed all four hard disk drives it looked at: WD My Book Live; Seagate Home; Netgear Stora and Medion LifeCloud NAS had vulnerabilities which made them unsecure when connected to the internet, begging the question is this the first of a series of attacks on internet-connected external hard disks?)
Not only have the disks been wiped clean, but around 25 percent of them have been conscripted into a ‘botnet’ a ‘collection of compromised internet-connected devices controlled by a third party.’ Yew!
‘Given the user reported behaviour of a My Book Live reaching out to a dropper host (attacker controlled), it appears (though it is hard to confirm without an actual device) that internet-exposed My Book Live devices are being mass exploited to join a botnet,’ wrote Censys.
For some My Book Live owners this will be a minor inconvenience, a reminder to update their back-up drive, but for others it has been ruinous, according to comments like this on the WD Community site: ‘I have lost 4TB of data, this includes all my insurance policies, budgets, the usual “life admin” as well as all the photos of my children, my wedding, etc, but just as importantly my livelihood. I am an independent consultant and my last 7 months of project work is all gone.’
Western Digital initially advised My Book Live owners to disconnect from the internet and has now offered to assist with recovering lost data: ‘Although this product family is no longer sold or supported by Western Digital, we know some of our customers have been impacted and we want to help. If you have lost your data as a result of these attacks, we will provide data recovery services which will be available beginning in July.’
– And note only that, but a cracking deal on a new WD storage device: ‘We know how important your data is to you and are committed to helping you protect it. We are launching a trade-in program that will allow you to upgrade from your My Book Live to one of our supported My Cloud devices.’
Meanwhile there’s a furious debate going on the usual websites, with one side saying ‘well if you relied on only one copy of your data then ha ha it’s all your fault; and anyway it was an obsolete product’ and the other side anticipating an class action lawsuit and questioning the ethics of WD for not issuing a patch for such a gaping vulnerability, or at least issuing a warning in 2018 when it came to light.