Did your WD My Book NAS get Wiped? Put a Brave Face on It
A 2019 vulnerability is being exploited to remotely wipe countless Western Digital devices. The WD My Book Live NAS product is coming under attack from Eastern European malefactors.
The product line is long obsolete. The last security patch was in 2015. WD’s best suggestion is, “Disconnect it.”
But that’s no help to people who’ve lost their data. It’s like saying, “Shut the stable door,” after the horse has bolted. In today’s SB Blogwatch, we force a simile. [You’re fired—Ed.]
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Bad guy is coming to take me away.
My Book? Not Any More.
What’s the craic? Lawrence Abrams reports—“WD My Book NAS devices are being remotely wiped clean worldwide”:
Disconnect the device”
NAS owners worldwide found that their devices have been mysteriously factory reset and all of their files deleted. WD My Book … allows owners to access their files and manage their devices remotely, even if the NAS is behind a firewall or router.
…
Users have expressed concerns that Western Digital’s servers were hacked. [But] Western Digital has determined [users] are are being targeted using a remote code execution vulnerability. [The] devices received their final firmware update in 2015. Since then, a remote code execution vulnerability tracked as CVE-2018-18472 was disclosed.
…
If you own a WD My Book Live NAS device, Western Digital strongly recommends that you disconnect the device from the Internet.
And Radhamely de Leon adds—“A Hacker Is Remotely Wiping People’s Internet-Connected Hard Drives”:
Factory reset”
WD My Book Live products, which are manufactured by Western Digital and can have anywhere from 2TB to 24TB of storage, can be accessed remotely over the internet through their My Cloud function. On Thursday, owners of the devices began posting on Western Digital’s forums that their data was being wiped.
…
Western Digital … released a statement confirming that the devices’ internet connectivity was what allowed them to be remotely wiped. … The statement also referred to … a bug in the remote command function that can be accessed by anyone who knows the device’s IP address.
…
The intent of the factory reset is unclear since it doesn’t seem like anything other than users’ personal files were impacted. Nor is it known who is responsible.
What’s the firm doing about it? Here are WD’s faceless PR goons—“Recommended Security Measures”:
Introduced to the market in 2010”
We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. … The attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.
…
Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet … attackers may be able to discover vulnerable devices through port scanning.
…
We have obtained a sample of an affected device and are investigating further. Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools. The My Book Live series was introduced to the market in 2010 and these devices received their final firmware update in 2015.
…
We have heard customer concerns that the current My Cloud OS 5 and My Cloud Home series of devices may be affected. These devices use a newer security architecture and are not affected by the vulnerabilities used in this attack. We recommend that eligible My Cloud OS 3 users upgrade to OS 5 to continue to receive security updates.
Directly exposed to the internet, you say? MikeLanglois says it ain’t so:
Those settings are disabled”
As one of the users impacted by this, its really annoying. … WD messed up big time, and because they are “legacy” products I doubt anyone will care. … It hasn’t had a firmware update since 2015.
…
It shouldn’t be possible for someone to throw out a killswitch like that. … I don’t access it externally—those settings are disabled.
Wait, how is that even possible, assuming a regular consumer broadband with a NAT/firewall? bigiain counts the ways:
Cross origin request forgery”
[Perhaps] just a user on the same wi-fi network running a browser and visiting a site with malicious JavaScript. Possible a malicious site, possible a benign site with … a ****ty ad network, possible a poorly secured site with persistent xss flaws.
…
How good do you reckon a 6-years-past-EOL consumer Linux device’s defences against a browser running … JavaScript making http requests to http://192.168.0.1..254]/cgi-bin/factoryRestore.sh?
…
Classic old cross origin request forgery. It ranks #7 in OWASP’s top 10 website security flaws.
Is this another case of convenience trumping security? fahrbot-bot drives the point home: [Du bist gefeuert—Red.]
Hole in my firewall”
Automatically via UPnP—sigh. Which is why I have UPnP disabled everywhere I can. If I want a frelling hole in my firewall, I’ll configure it myself.
Can you smell what ivraatiems is smelling?
Class action lawsuit”
The CVE … has been public and unpatched since 2019. … There’s “we don’t support end-of-life devices” and then there’s “we refuse to fix absolutely critical, crippling security vulnerabilities in devices just a few years old.”
This is well over the line. I smell … class action lawsuit.
Do we need the equivalent of crash tests? joe_frisch is no dummy:
Average computer user”
Can’t expect normal users to understand security. … We need the equivalent of product safety laws.
…
In the same way that we don’t expect an average car owner to do a structural analysis of their car to know its safe in an impact, or that the brakes function with high reliability, we can’t expect the average computer user to be able to evaluate the security of any device or software that they purchase.
Meanwhile, 1232 recycles this apt gag:
Remember kids, the ‘S’ in IoT stands for Security.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Sydney Sims (via Unsplash)
