Western Digital My Book Live drives are getting wiped on their own; company advises users to unplug it from the internet
Losing all your precious files is a data hoarder's nightmare. Unfortunately, many Western Digital My Book Live and My Book Live Duo users have been experiencing that for the past couple of days.
A thread created by a user on June 24th, at the WD Community forums says that their WD My Book Live that was connected to a Home LAN got wiped automatically. The 2TB drive, which the user said was nearly full, showed only 3GB was being used. This user wasn't alone, several others have reported the exact same thing, the thread has over 290 responses at the time of writing this article.
For context, this isn't your average external storage device that you plug in to your USB port, it uses an Ethernet port to offer cloud-connectivity, through your home network. Official support for the Western Digital My Book Live ended in 2015, which means it no longer received firmware updates.
Update: In a new statement published on its support portal, Western Digital clarifies that hackers exploited multiple security vulnerabilities to attack the cloud-based drives. The security flaw in the My Book Live existed from 2011. So it wasn't the flaw from 2019 that was targeted. The issue has been referenced as CVE-2021-35941, and allowed the attacker to factory reset the drive without authentication.
Western Digital has also announced that it will start providing data recovery services to affected customers, beginning in July. The company is also offering My Boo Live users a trade-in program, to upgrade to a My Cloud device. End
The incident, first spotted by Bleeping Computer, seems to have occurred on June 23rd. What's weird is that the users were unable to login to the drive using the web based dashboard, and that their password was invalid. Users who inspected the log found that their devices were factory reset remotely. Many users have attempted to recover the data using third-party software, but only a few seem to have had success with it.
So, what happened? This isn't a hardware issue or something that happened randomly. The network drives received a command from a remote hacker, that executed a factory reset.
Western Digital has issued an advisory, that recommends users to unplug the My Book Live drives from the internet. It further highlights the cause of the issue to be a security vulnerability, CVE-2018-18472. The company received log files from affected users, and analyzed them. It has concluded that the Western Digital My Book Live devices were being wiped due to a malware attack. The file in question is a trojan named “.nttpd,1-ppc-be-t1-z”. Western Digital has also recommended users with devices on My Cloud OS 3 to upgrade to OS 5 to receive security patches.
The official statement mentions that no evidence was found to indicate that Western Digital cloud services, firmware update servers, or customer credentials were compromised. But how did the attackers gain access to the devices?
What it doesn't say is that this security loophole was first discovered in July 2019, and it wasn't patched by the company. The attackers exploited the vulnerability to execute the malicious code remotely, and the users had to suffer due to the negligence.
Note: I have not recovered a drive fully, and as such cannot recommend a particular software. I would however suggest keeping it unplugged to prevent overwriting the data on it, until you discover a solution.
I have 4 Western Digital external hard drives, they are USB-based, for which I'm grateful. I can't even imagine losing all my data. If the security update had been provided, this fiasco could have been avoided, and users wouldn't have lost priceless photos, videos. Professional data recovery services aren't cheap, it can cost thousands of Dollars.
What about you? Have you had such an experience with a network hard drive? How do you protect against such issues?
References: reddit r/datahoarder, r/techsupport, Ars Technica
image credit: WD Community Forums
https://techxplore.com/news/2021-06-mass-deletion-wd-devices-involved.html
Hi Ashwin!… since my last note, my character count has risen to 64,737 and my word count has risen to 10,047! Nevertheless, and to be honest, I have been thrifty… though, dramat(icly) expressive!… in the way in which I’ve prepared my text, and punctuation!… a compensation for lack of graphics, audio and colour!
Be brave Ashwin!… we only die once (usually!)!… but, we live every day!… day to day!
Best protection: offsite backup.
You need to have your encrypted data on a drive which is not connected to any computer and store it in a different place (i.e. other town, other part of town or other building at least).
Protects against: dumb mistakes, dying hardware, malware, water/fire damage, robbery etc.
To make it easy, there are USB docks where you can just stick a naked SATA drive in. Connect these to your NAS and do regular backups, then put the drive in a transport case and swap it with the 2nd drive which is in an offsite location. If your data has any worth to you, this is a must.
You can easily filter data to only backup the small and important files, if you have too much data.
NAS’s received lots of hype for a few years but it’s relatively easy to buy a real server for about the same amount as a NAS.
I have one WD Red SSD in a desktop, our server has huge Seagate HDD’s. Wasn’t too keen on WD’s shingled HDD’s for stuff I can’t lose. Or Windows’ Update system, it runs Ubuntu Server.
Personally, I’d never consider giving a My Book Live WAN access; they’re fundamentally gadgets with basic OS’s similar to most low/mid range consumer NAS’s. I don’t think this is over, there are a lot of similar devices out there.
But, as is usually the case, most users like the idea of remote access and trust the drive’s security. WD has to understand the degree of tech knowledge their users have but chose to let this drag on.
Brian Krebs has a good article on the debacle, yup, been known for quite a while:
https://krebsonsecurity.com/2021/06/mybook-users-urged-to-unplug-devices-from-internet/
Bro, a NAS is a already a server …
https://www.seagate.com/open-source/
Go for Seagate, from now on.
GNUnet.org!… or bust!
People!… if you are unfamiliar with the genius of the “Lead Gnuisance” of the Free Software Foundation, it’s time you got acquianted! And I’m referring, of course, to former MIT muscle, Professor Richard M. Stallman.
For decades, he and his millions of minions (some of the brightest minds in the world!) have been daily tweaking the cyber version of the Starship Enterprise (the FOSSFOSH Enterprise!)… and someday– soon!– it will rip through our cyberverse like a bat fleeing hell! But!… let us not be ignorant of the unheralded excursions that this craft has already embarked upon while most have been asleep (e.g., the excursions cited at https://itigic.com/operating-systems-most-used-by-supercomputers/ and https://en.wikipedia.org/wiki/TOP500).
Prepare to be amazed!
BTW!… the near 100 supercomputers in China that/ which surpasses the sum of U.S. supercomputers is more than compensated for by the majority of countries in league with the U.S.! And so, this is not about China vs the U.S.!… it’s more akin to the world vs the CCP!
It’s 105°F (40.6°C) in the shade right now in Seattle and I’m feeling sluggish and indolent. I want some of whatever MR MUSTASHE is on. ;-)
Ha, ha, ha!… and you READ like someone who doesn’t know the difference between SOUND and VISUAL SEMIOTIC REPRESENTATION!… or the difference between an outstanding President and a WIGGED SOCIOPSYCHOPATHIC APPRENTICE CLOWN, who– presently, apparently!– doesn’t have a LICENSED LAWYER! Ha, ha, ha!
You can’t make this sh*t up!… ha, ha, ha! Well… I suppose you can!… but, it READS like fiction!… schnorkel, schnorkel!
The “dead meat”… someone’s friend!… is between your ears!
Hey Ashwin!… this “feel special” character is intimating (i.e., by way of “it[‘]s” self-ascription!) that “it” knows everything that there is to know about the life and times of the obviously “left-of-center” RMS!… and that RMS’ departure from MIT is justified because RMS– in “it(‘)s” view!– is “morally stanky (and hence, the ‘rotten spam’ reference thrown at an RMS supporter!)! That is to say, RMS’ recently expressed views about the “Sexual Agency” of preteens is against the grain of this character’s assessment of what constitutes free speech! And I’m guessing, “it” knows little– to nothing!– about Bar and Bat Mitzvahs… and that PRETEENS once ruled Israel!
Ashwin, it’s your call to make… and the following sidebar digression could easily initiate a flood of Responses so numerous, that GH would require new staffing (and a GH PR spokesperson) just to deal with the good and evil flack that the ensuing would generate!… but… I have a 55,130 charactered (8,550 worded) Response to this “itjit’s” crap that’s burning a hole in my notepad files that I am more than willing to unleash here! And, although it transcends the debate surrounding closed source vs free and open source hardware and software ICT solutions, it underscores the very reason why FOSS and FOSH is so vital to a Secure Internet!
P.S.:…
I’m high on GNUnet.org!… it’s CYBERDELIC (copyrighted and copylefted!)!
That which is sufficiently metaphorical is also incomprehensible. Maybe because of lack of complete thought, maybe because of uncountable possible interpretations.
What???
BTW!… Who sold Giuliani that God-aweful “hair dye-shoe polish” we saw streaming down Rude?’s face a little while back?… Trump’s “wiggier”? Ha, ha, ha!
In bed with strange women (or comedians!… you choose!)!… Full of conspiratorial crap!… Dripping goop (No!… not Gwyneth Paltrow’s!)!… AND, unlicensed!… ha, ha, ha!
Wow, you sound like an overbearing salesperson from the ’50s, but worse, like rotten spam.
Hey Ashwin!… someone came into my system in the last couple of hours and wrote a nasty comment in one of my opened notepad files!… what do you think I should do about it– and, to this person?
Why did you have to go and change the way your site looks? When I click on latest posts the screen caps/photos are huge and ugly.
When I visit the comment section it doesn’t flow like it used to and is also ugly.
Don’t fix what’s not broken!
Use this link: https://www.ghacks.net/?s=
Thank you Ashwin for this news, very important article. Another example of the cloud wowing harmful not helpful, when using old peripherals connected to the internet
Presumably there is nothing stopping a determined hacker from wiping our laptop native hard drives as well
Your article mentions a Trojan, but it would be helped to tell your readers how that Trojan is typically activated – did computer users have to click on a file and what type of file, or was this a remote attack requiring no input from the computer owner?
Sorry, typo: Another example of the cloud being harmful not helpful
Don’t connect NAS to the internet directly or even via a router. Use storage through desktop operating systems only and patch them regularly.
I have an old WD ‘My Cloud’. As soon as I heard about this I powered it off. Will wait a few days before checking if it was affected.
Shame on Western Digital for not patching the vulnerability much sooner. Sadly one cannot fully rely on others these days for their own security. You have to take matters into your hands as much as possible.
I’ve had NAS devices for over 10 years, current one is a Western Digital EX2 Ultra. I only use them to backup or share data on my local home network. So my solution has always been to block them from accessing the Internet via a rule in my hardware firewall which is also locked down (ex. no remote access, UPnP disabled and all incoming ports blocked).
I have always disliked the idea that a device that stores critical data is able to get out to the Internet, not just for this type of issue but also the risk of leaking data (also why I don’t use cloud based storage either which is just someone else’s computer).
Something to be learned here also is that it’s very important to backup critical data to another location. Do not trust just one device with all your data. Myself even though my NAS has two hard drives to mirror data (should one drive fail) and is on a backup power supply and surge protector I still back up critical data to external media (and stored in a fire safe) in the event something were to happen to the NAS.
Get a separate NAS for your shared files, don’t connect your primary drives to the internet. Don’t even rely on the manufacturer to truly disable access (manufacturers like QNap and Synology still retain backdoor update access even if you disable connections in the GUI), set the NAS gateway to an unused range so it only has LAN access and can’t even see the internet.
WD knew about the vulnerability but didn’t issue a patch because the drives in question were past “end of support,” even though many were still in use in the real world. That’s unforgivable, IMO. As one of the commenters in the referenced datahoarders subreddit said, “‘it’s out of support’ for something this important is a great way to make me never buy anything from your company ever again.”
I’ve always liked WD HDDs, but I never trusted those cloud/live drives or related services.
WD makes some great tech, but the company has actually been in debt for a long time.
I’ll still buy and use WD drives, but that’s all.
As I recall, years ago, WD made a so-called media player/hard drive, that you could plug into a TV to play your movies files and such. It came with media software that was reported to be rather good for the time. I almost bought one, but I first checked out the WD forums and the users there where mad, as WD had ended support for it.
WD used to be the best name in the hard drive market back in the day – an ideal combination of quality, speed and reliability. Shame about the decline.
@ShintoPlasm: Hmmm. I remember the infamous WD “click of death” in the early 2000s because I fell victim to it *twice*, on the same computer! Prior to that, it was IBM’s “Deathstars” that got me … *four* times. (In both cases, all drives were bought at the same time as part of a daily system-drive cloning system. It wasn’t a case of fool me twice, shame on me. In retrospect, though, I should have bought same-capacity drives from different manufacturers.) I haven’t checked Backblaze’s reports for maybe a year or two, but for quite some time HGST 4TB drives enjoyed a good run for outstanding reliability. Of course, drives at a storage farm don’t undergo the repeated on/off cycles that most desktop and external-storage drives do.
How do you protect against such issues?
I don’t have a NAS, or media server, or any home network. I use no cloud storage services, I have no smart TVs, no smart controllers, no Wi-Fi, no VOIP, no printer sharing, and I own and control my own router.
I also keep what I use updated, otherwise it stays offline and rather isolated.
I have at least 3 copies of my media that I update manually, involving a computer that is mostly unplugged from the web.
When I want to share media with another device, I put it on an external drive and move it to that device.
As need be, I use portable media software that can run from/on any of my external drives, for use with most any device.
Besides being more secure, I find what I do be easier, cheaper, and better than the other alternatives, such as running a media server on a NAS, which downgrades the video quality as it transcodes, and is a security risk (been there done that).
Also, thanks to 18TB external drives, I can now keep all my media on one drive (not including backups), which makes everything much easier.
My next investment will be an affordable, small laptop that can hold 18TB, which is not a thing yet, but we are almost there.
As for games and streaming services, I do that all on an Xbox and a dedicated PC for just that.
As for my smart phone, it has it’s own account and I keep it away from my other systems. I mostly use a LAN phone.
I do all my online shopping and banking on my work PC, at a different location. That system is managed by the security firm of which I work for and trust.
I have a home security system with cameras and more, but the details of that I keep private.
The issue about the WD My Book Live drive (external hardrive) is not new or as recent as presented. At least not to me.
About 2 or 3 three years ago I had to totally disconnect it from my computer (not only from Internet) when I realized that somehow the PC was booting into “chkdisk” and it was deleting files (mostly valuable pictures) from the My Book Live drive.
I tried looking for a solution I could not find.
There was a dump file location created where the deleted files appeared to have been renamed.
Currently, the My Book Live drive is stored somewhere out there and I have not tried using it.
@Santiago Tejada
That’s right. Such issues go back a few years, which users have reported. I found a tech blog from 2018, and that guy warned about this and such.
There’s a lot of info about this now, which may be of help to you.