WD My Book Live data deleted

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
Topic Author
dual
Posts: 1383
Joined: Mon Feb 26, 2007 6:02 pm

WD My Book Live data deleted

Post by dual »

Western Digital, maker of the popular My Disk external hard drives, is recommending customers unplug My Book Live storage devices from the Internet until further notice while company engineers investigate unexplained compromises that have completely wiped data from devices around the world.

The mass incidents of disk wiping came to light in this threadhttps://community.wd.com/t/help-all-dat ... own/268111 on Western Digital’s support forum. So far, there are no reports of deleted data later being restored.

https://arstechnica.com/gadgets/2021/06 ... n-digital/
User avatar
Kagord
Posts: 1676
Joined: Fri Nov 23, 2018 12:28 pm
Location: Peaksville, Ohio

Re: WD My Book Live data deleted

Post by Kagord »

Hopefully, they can just update the firmware from their botched release and fix.

I think these are the drives that connect directly to the network and are like a NAS. I don't think these are the USB drives.

So, if it looks like this in the back with a network port, unplug it.
Image
manatee2005
Posts: 2136
Joined: Wed Dec 18, 2019 8:17 pm

Re: WD My Book Live data deleted

Post by manatee2005 »

Kagord wrote: Fri Jun 25, 2021 4:20 am Hopefully, they can just update the firmware from their botched release and fix.

I think these are the drives that connect directly to the network and are like a NAS. I don't think these are the USB drives.

So, if it looks like this in the back with a network port, unplug it.
Image
Rule of thumb for data. If you have something digital on only one hard drive, you actually don't have that data. I make sure I have 2 or even 3 copies of anything important.
TravelGeek
Posts: 4902
Joined: Sat Oct 25, 2014 3:23 pm

Re: WD My Book Live data deleted

Post by TravelGeek »

From WD:

“The My Book Live device received its final firmware update in 2015.”

Nice, so no security updates since then? And my guess is they probably don’t have many of the original staff or contractors who worked on the firmware around anymore to deal with this emergency.
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: WD My Book Live data deleted

Post by jebmke »

Once you take the NAS offline, is there any way to see if your data is still there?

Put another way. If I take my computer offline (or even take the LAN offline), can I blow all the data (assuming it is there) to a USB drive?
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
wolf359
Posts: 3207
Joined: Sun Mar 15, 2015 8:47 am

PSA: Disconnect your Western Digital Live MyBook from Internet

Post by wolf359 »

[Thread merged into here --admin LadyGeek]

The Western Digital Mybook Live is an external hard drive that plugs into an ethernet cable instead of directly into your computer. It is a cheap, reliable storage solution that provides a private cloud experience. It's a very easy way to create a space for friends and family to share photos and videos across the Internet and to mobile devices. It's been reliable for years, and we use it for family photos and other things we want to share. It's popular for that purpose.

This all changed yesterday. There's apparently a malware attack that is wiping these drives. If you own one, Western Digital is advising that you unplug it while they figure out what is going on, and how to stop it.

Article links:
https://arstechnica.com/gadgets/2021/06 ... n-digital/
https://www.engadget.com/western-digita ... 09502.html

Again, these aren't the Western Digital external hard drives that are attached to your USB port. These plug into your network directly.
User avatar
BigFoot48
Posts: 3115
Joined: Tue Feb 20, 2007 9:47 am
Location: Arizona

Re: WD My Book Live data deleted

Post by BigFoot48 »

I unplugged mine immediately when I saw an article on this yesterday. I had accessed a file on it a few hours earlier so I'm confident mine was not wiped on June 23 like happened to many others. Fortunately I also have a backup done a week ago to a portable drive.

This is bad. Many people on the WD forum are reporting completely wiped drives as a result of the factory reset instruction sent out by the person that did this.

UPDATE: I see I have the WD My Cloud version which doesn't appear to be the subject of the attack. Still leaving unplugged until more info comes out from WD. (They did not mention My Cloud in their alert.)
Last edited by BigFoot48 on Fri Jun 25, 2021 1:19 pm, edited 1 time in total.
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 18-time loser
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: WD My Book Live data deleted

Post by jebmke »

BigFoot48 wrote: Fri Jun 25, 2021 8:23 am I unplugged mine immediately when I saw an article on this.
Unless there is a fix or a way to access the data "offline," an unplugged devices is no different than a wiped device. Mine is unplugged for now. My critical data is backed up online; the NAS is only used as a local mirror. I do have some other archived data that I would not like to lose but wouldn't be that big a deal.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
User avatar
Cheez-It Guy
Posts: 4007
Joined: Sun Mar 03, 2019 3:20 pm

Re: WD My Book Live data deleted

Post by Cheez-It Guy »

Why would you want your physical hard drive backup independently internet-connected?
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: WD My Book Live data deleted

Post by jebmke »

Cheez-It Guy wrote: Fri Jun 25, 2021 8:28 am Why would you want your physical hard drive backup independently internet-connected?
A NAS is attached to a local network (LAN). The network is connected to the internet through the router. For almost all users, the use is to allow multiple devices to access the same data. In that application, the connection to the internet by the NAS is simply an artifact of how the devices are interconnected locally. It is technically possible to configure many NAS devices such that one can connect into it remotely to retrieve data from outside the LAN. I don't configure mine this way as I have no requirement to do so.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
User avatar
BigFoot48
Posts: 3115
Joined: Tue Feb 20, 2007 9:47 am
Location: Arizona

Re: WD My Book Live data deleted

Post by BigFoot48 »

jebmke wrote: Fri Jun 25, 2021 8:26 am Unless there is a fix or a way to access the data "offline," an unplugged devices is no different than a wiped device.
How true! One suggestion I've seen is to plug the WD into one's computer using an ethernet cable after logging off the internet.
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 18-time loser
User avatar
Cheez-It Guy
Posts: 4007
Joined: Sun Mar 03, 2019 3:20 pm

Re: WD My Book Live data deleted

Post by Cheez-It Guy »

jebmke wrote: Fri Jun 25, 2021 8:36 am
Cheez-It Guy wrote: Fri Jun 25, 2021 8:28 am Why would you want your physical hard drive backup independently internet-connected?
A NAS is attached to a local network (LAN). The network is connected to the internet through the router. For almost all users, the use is to allow multiple devices to access the same data. In that application, the connection to the internet by the NAS is simply an artifact of how the devices are interconnected locally. It is technically possible to configure many NAS devices such that one can connect into it remotely to retrieve data from outside the LAN. I don't configure mine this way as I have no requirement to do so.
Thanks! I don't think I'll plan to use one of these in the future.
RubyTuesday
Posts: 2241
Joined: Fri Oct 19, 2012 11:24 am

Re: PSA: Disconnect your Western Digital Live MyBook from Internet

Post by RubyTuesday »

There’s already a thread. They will likely be merged.

viewtopic.php?p=6085086#p6085086
“Doing nothing is better than being busy doing nothing.” – Lao Tzu
User avatar
LadyGeek
Site Admin
Posts: 95696
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: WD My Book Live data deleted

Post by LadyGeek »

^^^ Very likely. :wink: I merged wolf359's thread into the ongoing discussion.

(Thanks to the members who reported the post.)
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: WD My Book Live data deleted

Post by jebmke »

I would be interested in any interpretation of this excerpt from the ARS page by experienced Linux users (I believe these devices are essentially a Linux micro lashed to a hard drive).
Multiple users reported that the data loss coincided with a factory reset that was performed on their devices. One person posted a log that showed unexplained behavior occurring on Wednesday:

Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api


“I believe this is the culprit of why this happens,” the person wrote. “No one was even home to use this drive at this time.”
What does this mean in practical terms? If there is a bug already present your WD device, will simply disconnecting it from the LAN prevent a wipe, assuming one has not already occurred or should the unit be shut down. One risk of a shut down is that it will have to go through a boot cycle.

If I connected this to a router that was offline from the WAN, would it be safe to connect to it with a computer long enough to migrate the data to another device (assuming it is still there)? My WD has a fixed IP address so I don't think I would need to reboot it to reconnect to a disconnected LAN as long as the gateway address is the same. I could take my primary router offline but that would take the rest of the house offline. My preference would be to fire up a backup router with the same gateway access but not connected to the outside and then do the migration from that.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: WD My Book Live data deleted

Post by Marseille07 »

jebmke wrote: Fri Jun 25, 2021 1:45 pm I would be interested in any interpretation of this excerpt from the ARS page by experienced Linux users (I believe these devices are essentially a Linux micro lashed to a hard drive).
Multiple users reported that the data loss coincided with a factory reset that was performed on their devices. One person posted a log that showed unexplained behavior occurring on Wednesday:

Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api


“I believe this is the culprit of why this happens,” the person wrote. “No one was even home to use this drive at this time.”
What does this mean in practical terms? If there is a bug already present your WD device, will simply disconnecting it from the LAN prevent a wipe, assuming one has not already occurred or should the unit be shut down. One risk of a shut down is that it will have to go through a boot cycle.

If I connected this to a router that was offline from the WAN, would it be safe to connect to it with a computer long enough to migrate the data to another device (assuming it is still there)? My WD has a fixed IP address so I don't think I would need to reboot it to reconnect to a disconnected LAN as long as the gateway address is the same. I could take my primary router offline but that would take the rest of the house offline. My preference would be to fire up a backup router with the same gateway access but not connected to the outside and then do the migration from that.
I think it should be safe inside a NAT'ed network. From the internet, the devices aren't visible at all.

It's tricky if the device is "calling home" somewhere and that's compromised. But I find it very unlikely.
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: WD My Book Live data deleted

Post by jebmke »

Marseille07 wrote: Fri Jun 25, 2021 1:49 pm I think it should be safe inside a NAT'ed network. From the internet, the devices aren't visible at all.
if this is true (visibility) then how are they compromised? These devices have one Ethernet jack and I am not sure how one would even work if it were plugged into the cable modem directly. There would be no way to address it from the LAN so what would be the point?
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: WD My Book Live data deleted

Post by Marseille07 »

jebmke wrote: Fri Jun 25, 2021 3:03 pm
Marseille07 wrote: Fri Jun 25, 2021 1:49 pm I think it should be safe inside a NAT'ed network. From the internet, the devices aren't visible at all.
if this is true (visibility) then how are they compromised? These devices have one Ethernet jack and I am not sure how one would even work if it were plugged into the cable modem directly. There would be no way to address it from the LAN so what would be the point?
It's hard to say, but maybe it's possible the routers are misconfigured? For example, DMZ allows LAN -> DMZ access as well as WAN -> DMZ. Malicious attackers can hit DMZ without hacking your LAN.

Or, perhaps people set up port forwarding on the router to allow remote access, and attackers are discovering those ports.
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: WD My Book Live data deleted

Post by jebmke »

Marseille07 wrote: Fri Jun 25, 2021 3:16 pm It's hard to say, but maybe it's possible the routers are misconfigured? For example, DMZ allows LAN -> DMZ access as well as WAN -> DMZ. Malicious attackers can hit DMZ without hacking your LAN.

Or, perhaps people set up port forwarding on the router to allow remote access, and attackers are discovering those ports.
It is possible to configure the WD NAS to be accessible from outside the network by enabling "Remote Access." I have never looked at the user manual to see if there is any technical explanation of how this works since I have never been interested in having any device on my net accessible from outside the net.

Mine is getting a little long in the tooth so I have been thinking for a while that I need to replace it anyway.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: WD My Book Live data deleted

Post by Marseille07 »

jebmke wrote: Fri Jun 25, 2021 3:25 pm
Marseille07 wrote: Fri Jun 25, 2021 3:16 pm It's hard to say, but maybe it's possible the routers are misconfigured? For example, DMZ allows LAN -> DMZ access as well as WAN -> DMZ. Malicious attackers can hit DMZ without hacking your LAN.

Or, perhaps people set up port forwarding on the router to allow remote access, and attackers are discovering those ports.
It is possible to configure the WD NAS to be accessible from outside the network by enabling "Remote Access." I have never looked at the user manual to see if there is any technical explanation of how this works since I have never been interested in having any device on my net accessible from outside the net.

Mine is getting a little long in the tooth so I have been thinking for a while that I need to replace it anyway.
Right. You're wise not to use that feature.

https://krebsonsecurity.com/2021/06/myb ... -internet/
“It can be triggered by anyone who knows the IP address of the affected device, as exploited in the wild in June 2021 for factory reset commands,” NVD wrote.
This explanation is a bit weak, because it isn't as simple as described. Your router simply rejects connections to a closed port, even if they know your IP. In any event, it appears like allowing Remote Access sounds like a huge culprit in this circumstance.
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: WD My Book Live data deleted

Post by jebmke »

Thanks; that's helpful
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
rich126
Posts: 4475
Joined: Thu Mar 01, 2018 3:56 pm

PSA: Western Digital My Book Live Drives

Post by rich126 »

[Thread merged into here --admin LadyGeek]

Anyone with one of these drives should disconnect it from the Internet since the data on them can be easily deleted by a hacker and apparently this is becoming more widespread.

Been reported in a variety of media but Brian Krebs has some details at his site.
https://krebsonsecurity.com/2021/06/myb ... -internet/

If this has already been posted, or doesn't fit at this site feel free to delete this post!
----------------------------- | If you think something is important and it doesn't involve the health of someone, think again. Life goes too fast, enjoy it and be nice.
User avatar
LadyGeek
Site Admin
Posts: 95696
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: WD My Book Live data deleted

Post by LadyGeek »

^^^ Thanks! (Also, thanks to the member who reported the post.)

I merged rich126's thread into the ongoing discussion.
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
rich126
Posts: 4475
Joined: Thu Mar 01, 2018 3:56 pm

Re: WD My Book Live data deleted

Post by rich126 »

It is sad that companies simply are not held responsible for carelessness.

From the Krebs story -
VPN reviewer Wizcase.com with reporting the bug to Western Digital three years ago, back in June 2018.
“The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012,” reads a reply from Western Digital that Wizcase posted to its blog. “These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle
WD also recommended people using them to configure a firewall to prevent remote access to the device. I'll be generous here but I'd say 90% of all users of such devices have no clue what a firewall is, much less can configure one.
----------------------------- | If you think something is important and it doesn't involve the health of someone, think again. Life goes too fast, enjoy it and be nice.
User avatar
BigFoot48
Posts: 3115
Joined: Tue Feb 20, 2007 9:47 am
Location: Arizona

Re: WD My Book Live data deleted

Post by BigFoot48 »

Some good advice on the WD Community forum on restoring the deleted data and router and WDL settings to use to possibly prevent further intrusions: https://community.wd.com/t/help-all-dat ... n/268111/1
Retired | Two-time in top-10 in Bogleheads S&P500 contest; 18-time loser
Marseille07
Posts: 16054
Joined: Fri Nov 06, 2020 12:41 pm

Re: WD My Book Live data deleted

Post by Marseille07 »

rich126 wrote: Tue Jun 29, 2021 4:06 pm It is sad that companies simply are not held responsible for carelessness.

From the Krebs story -
VPN reviewer Wizcase.com with reporting the bug to Western Digital three years ago, back in June 2018.
“The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012,” reads a reply from Western Digital that Wizcase posted to its blog. “These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle
WD also recommended people using them to configure a firewall to prevent remote access to the device. I'll be generous here but I'd say 90% of all users of such devices have no clue what a firewall is, much less can configure one.
Unless you purposely enable port-forwarding, your router doesn't allow remote access to the device.

The vulnerability here is that, simply having remote access allowed the device to get wiped.
Post Reply