Western Digital My Book Live drives are getting wiped on their own; company advises users to unplug it from the internet
Losing all your precious files is a data hoarder's nightmare. Unfortunately, many Western Digital My Book Live and My Book Live Duo users have been experiencing that for the past couple of days.
A thread created by a user on June 24th, at the WD Community forums says that their WD My Book Live that was connected to a Home LAN got wiped automatically. The 2TB drive, which the user said was nearly full, showed only 3GB was being used. This user wasn't alone, several others have reported the exact same thing, the thread has over 290 responses at the time of writing this article.
For context, this isn't your average external storage device that you plug in to your USB port, it uses an Ethernet port to offer cloud-connectivity, through your home network. Official support for the Western Digital My Book Live ended in 2015, which means it no longer received firmware updates.
Update: In a new statement published on its support portal, Western Digital clarifies that hackers exploited multiple security vulnerabilities to attack the cloud-based drives. The security flaw in the My Book Live existed from 2011. So it wasn't the flaw from 2019 that was targeted. The issue has been referenced as CVE-2021-35941, and allowed the attacker to factory reset the drive without authentication.
Western Digital has also announced that it will start providing data recovery services to affected customers, beginning in July. The company is also offering My Boo Live users a trade-in program, to upgrade to a My Cloud device. End
The incident, first spotted by Bleeping Computer, seems to have occurred on June 23rd. What's weird is that the users were unable to login to the drive using the web based dashboard, and that their password was invalid. Users who inspected the log found that their devices were factory reset remotely. Many users have attempted to recover the data using third-party software, but only a few seem to have had success with it.
So, what happened? This isn't a hardware issue or something that happened randomly. The network drives received a command from a remote hacker, that executed a factory reset.
Western Digital has issued an advisory, that recommends users to unplug the My Book Live drives from the internet. It further highlights the cause of the issue to be a security vulnerability, CVE-2018-18472. The company received log files from affected users, and analyzed them. It has concluded that the Western Digital My Book Live devices were being wiped due to a malware attack. The file in question is a trojan named “.nttpd,1-ppc-be-t1-z”. Western Digital has also recommended users with devices on My Cloud OS 3 to upgrade to OS 5 to receive security patches.
The official statement mentions that no evidence was found to indicate that Western Digital cloud services, firmware update servers, or customer credentials were compromised. But how did the attackers gain access to the devices?
What it doesn't say is that this security loophole was first discovered in July 2019, and it wasn't patched by the company. The attackers exploited the vulnerability to execute the malicious code remotely, and the users had to suffer due to the negligence.
Note: I have not recovered a drive fully, and as such cannot recommend a particular software. I would however suggest keeping it unplugged to prevent overwriting the data on it, until you discover a solution.
I have 4 Western Digital external hard drives, they are USB-based, for which I'm grateful. I can't even imagine losing all my data. If the security update had been provided, this fiasco could have been avoided, and users wouldn't have lost priceless photos, videos. Professional data recovery services aren't cheap, it can cost thousands of Dollars.
What about you? Have you had such an experience with a network hard drive? How do you protect against such issues?