Western Digital, maker of the popular My Disk external hard drives, is recommending customers unplug My Book Live storage devices from the Internet until further notice while company engineers investigate unexplained compromises that have completely wiped data from devices around the world.
The mass incidents of disk wiping came to light in this threadhttps://community.wd.com/t/help-all-dat ... own/268111 on Western Digital’s support forum. So far, there are no reports of deleted data later being restored.
Kagord wrote: ↑Fri Jun 25, 2021 4:20 am
Hopefully, they can just update the firmware from their botched release and fix.
I think these are the drives that connect directly to the network and are like a NAS. I don't think these are the USB drives.
So, if it looks like this in the back with a network port, unplug it.
Rule of thumb for data. If you have something digital on only one hard drive, you actually don't have that data. I make sure I have 2 or even 3 copies of anything important.
“The My Book Live device received its final firmware update in 2015.”
Nice, so no security updates since then? And my guess is they probably don’t have many of the original staff or contractors who worked on the firmware around anymore to deal with this emergency.
The Western Digital Mybook Live is an external hard drive that plugs into an ethernet cable instead of directly into your computer. It is a cheap, reliable storage solution that provides a private cloud experience. It's a very easy way to create a space for friends and family to share photos and videos across the Internet and to mobile devices. It's been reliable for years, and we use it for family photos and other things we want to share. It's popular for that purpose.
This all changed yesterday. There's apparently a malware attack that is wiping these drives. If you own one, Western Digital is advising that you unplug it while they figure out what is going on, and how to stop it.
I unplugged mine immediately when I saw an article on this yesterday. I had accessed a file on it a few hours earlier so I'm confident mine was not wiped on June 23 like happened to many others. Fortunately I also have a backup done a week ago to a portable drive.
This is bad. Many people on the WD forum are reporting completely wiped drives as a result of the factory reset instruction sent out by the person that did this.
UPDATE: I see I have the WD My Cloud version which doesn't appear to be the subject of the attack. Still leaving unplugged until more info comes out from WD. (They did not mention My Cloud in their alert.)
Last edited by BigFoot48 on Fri Jun 25, 2021 1:19 pm, edited 1 time in total.
Retired |
Two-time in top-10 in Bogleheads S&P500 contest; 18-time loser
BigFoot48 wrote: ↑Fri Jun 25, 2021 8:23 am
I unplugged mine immediately when I saw an article on this.
Unless there is a fix or a way to access the data "offline," an unplugged devices is no different than a wiped device. Mine is unplugged for now. My critical data is backed up online; the NAS is only used as a local mirror. I do have some other archived data that I would not like to lose but wouldn't be that big a deal.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Cheez-It Guy wrote: ↑Fri Jun 25, 2021 8:28 am
Why would you want your physical hard drive backup independently internet-connected?
A NAS is attached to a local network (LAN). The network is connected to the internet through the router. For almost all users, the use is to allow multiple devices to access the same data. In that application, the connection to the internet by the NAS is simply an artifact of how the devices are interconnected locally. It is technically possible to configure many NAS devices such that one can connect into it remotely to retrieve data from outside the LAN. I don't configure mine this way as I have no requirement to do so.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
jebmke wrote: ↑Fri Jun 25, 2021 8:26 am
Unless there is a fix or a way to access the data "offline," an unplugged devices is no different than a wiped device.
How true! One suggestion I've seen is to plug the WD into one's computer using an ethernet cable after logging off the internet.
Retired |
Two-time in top-10 in Bogleheads S&P500 contest; 18-time loser
Cheez-It Guy wrote: ↑Fri Jun 25, 2021 8:28 am
Why would you want your physical hard drive backup independently internet-connected?
A NAS is attached to a local network (LAN). The network is connected to the internet through the router. For almost all users, the use is to allow multiple devices to access the same data. In that application, the connection to the internet by the NAS is simply an artifact of how the devices are interconnected locally. It is technically possible to configure many NAS devices such that one can connect into it remotely to retrieve data from outside the LAN. I don't configure mine this way as I have no requirement to do so.
Thanks! I don't think I'll plan to use one of these in the future.
I would be interested in any interpretation of this excerpt from the ARS page by experienced Linux users (I believe these devices are essentially a Linux micro lashed to a hard drive).
Multiple users reported that the data loss coincided with a factory reset that was performed on their devices. One person posted a log that showed unexplained behavior occurring on Wednesday:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
“I believe this is the culprit of why this happens,” the person wrote. “No one was even home to use this drive at this time.”
What does this mean in practical terms? If there is a bug already present your WD device, will simply disconnecting it from the LAN prevent a wipe, assuming one has not already occurred or should the unit be shut down. One risk of a shut down is that it will have to go through a boot cycle.
If I connected this to a router that was offline from the WAN, would it be safe to connect to it with a computer long enough to migrate the data to another device (assuming it is still there)? My WD has a fixed IP address so I don't think I would need to reboot it to reconnect to a disconnected LAN as long as the gateway address is the same. I could take my primary router offline but that would take the rest of the house offline. My preference would be to fire up a backup router with the same gateway access but not connected to the outside and then do the migration from that.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
jebmke wrote: ↑Fri Jun 25, 2021 1:45 pm
I would be interested in any interpretation of this excerpt from the ARS page by experienced Linux users (I believe these devices are essentially a Linux micro lashed to a hard drive).
Multiple users reported that the data loss coincided with a factory reset that was performed on their devices. One person posted a log that showed unexplained behavior occurring on Wednesday:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
“I believe this is the culprit of why this happens,” the person wrote. “No one was even home to use this drive at this time.”
What does this mean in practical terms? If there is a bug already present your WD device, will simply disconnecting it from the LAN prevent a wipe, assuming one has not already occurred or should the unit be shut down. One risk of a shut down is that it will have to go through a boot cycle.
If I connected this to a router that was offline from the WAN, would it be safe to connect to it with a computer long enough to migrate the data to another device (assuming it is still there)? My WD has a fixed IP address so I don't think I would need to reboot it to reconnect to a disconnected LAN as long as the gateway address is the same. I could take my primary router offline but that would take the rest of the house offline. My preference would be to fire up a backup router with the same gateway access but not connected to the outside and then do the migration from that.
I think it should be safe inside a NAT'ed network. From the internet, the devices aren't visible at all.
It's tricky if the device is "calling home" somewhere and that's compromised. But I find it very unlikely.
Marseille07 wrote: ↑Fri Jun 25, 2021 1:49 pm
I think it should be safe inside a NAT'ed network. From the internet, the devices aren't visible at all.
if this is true (visibility) then how are they compromised? These devices have one Ethernet jack and I am not sure how one would even work if it were plugged into the cable modem directly. There would be no way to address it from the LAN so what would be the point?
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Marseille07 wrote: ↑Fri Jun 25, 2021 1:49 pm
I think it should be safe inside a NAT'ed network. From the internet, the devices aren't visible at all.
if this is true (visibility) then how are they compromised? These devices have one Ethernet jack and I am not sure how one would even work if it were plugged into the cable modem directly. There would be no way to address it from the LAN so what would be the point?
It's hard to say, but maybe it's possible the routers are misconfigured? For example, DMZ allows LAN -> DMZ access as well as WAN -> DMZ. Malicious attackers can hit DMZ without hacking your LAN.
Or, perhaps people set up port forwarding on the router to allow remote access, and attackers are discovering those ports.
Marseille07 wrote: ↑Fri Jun 25, 2021 3:16 pm
It's hard to say, but maybe it's possible the routers are misconfigured? For example, DMZ allows LAN -> DMZ access as well as WAN -> DMZ. Malicious attackers can hit DMZ without hacking your LAN.
Or, perhaps people set up port forwarding on the router to allow remote access, and attackers are discovering those ports.
It is possible to configure the WD NAS to be accessible from outside the network by enabling "Remote Access." I have never looked at the user manual to see if there is any technical explanation of how this works since I have never been interested in having any device on my net accessible from outside the net.
Mine is getting a little long in the tooth so I have been thinking for a while that I need to replace it anyway.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Marseille07 wrote: ↑Fri Jun 25, 2021 3:16 pm
It's hard to say, but maybe it's possible the routers are misconfigured? For example, DMZ allows LAN -> DMZ access as well as WAN -> DMZ. Malicious attackers can hit DMZ without hacking your LAN.
Or, perhaps people set up port forwarding on the router to allow remote access, and attackers are discovering those ports.
It is possible to configure the WD NAS to be accessible from outside the network by enabling "Remote Access." I have never looked at the user manual to see if there is any technical explanation of how this works since I have never been interested in having any device on my net accessible from outside the net.
Mine is getting a little long in the tooth so I have been thinking for a while that I need to replace it anyway.
“It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,” NVD wrote.
This explanation is a bit weak, because it isn't as simple as described. Your router simply rejects connections to a closed port, even if they know your IP. In any event, it appears like allowing Remote Access sounds like a huge culprit in this circumstance.
Anyone with one of these drives should disconnect it from the Internet since the data on them can be easily deleted by a hacker and apparently this is becoming more widespread.
If this has already been posted, or doesn't fit at this site feel free to delete this post!
----------------------------- |
If you think something is important and it doesn't involve the health of someone, think again. Life goes too fast, enjoy it and be nice.
It is sad that companies simply are not held responsible for carelessness.
From the Krebs story -
VPN reviewer Wizcase.com with reporting the bug to Western Digital three years ago, back in June 2018.
“The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012,” reads a reply from Western Digital that Wizcase posted to its blog. “These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle
WD also recommended people using them to configure a firewall to prevent remote access to the device. I'll be generous here but I'd say 90% of all users of such devices have no clue what a firewall is, much less can configure one.
----------------------------- |
If you think something is important and it doesn't involve the health of someone, think again. Life goes too fast, enjoy it and be nice.
rich126 wrote: ↑Tue Jun 29, 2021 4:06 pm
It is sad that companies simply are not held responsible for carelessness.
From the Krebs story -
VPN reviewer Wizcase.com with reporting the bug to Western Digital three years ago, back in June 2018.
“The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012,” reads a reply from Western Digital that Wizcase posted to its blog. “These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle
WD also recommended people using them to configure a firewall to prevent remote access to the device. I'll be generous here but I'd say 90% of all users of such devices have no clue what a firewall is, much less can configure one.
Unless you purposely enable port-forwarding, your router doesn't allow remote access to the device.
The vulnerability here is that, simply having remote access allowed the device to get wiped.