WD My Book Live storage drives are being remotely wiped — disconnect yours now

WD my book live NAS
(Image credit: WD)

Updated with new information about a second, previously unknown flaw that was exploited during the attack(s) on WD My Book Live drives. This story was originally published June 25, 2021.

Do you have a WD My Book Live network storage drive? Well, you better disconnect it from the internet immediately, or you could lose all your precious data.

WD has warned that some users have been finding their data has been wiped, despite no action on their part. Apparently this is due to some “malicious software” doing the rounds, and the company is advising users to disconnect their drives from the internet right away. 

A number of WD My Book Live owners have confirmed that their devices received a remote command to perform factory resets, starting yesterday afternoon and continuing through the night. 

Affected users have since discovered that they have lost all their data, and many of them are unable to log back into the drive via both the web browser and app portals. And yes, they did try the usual default admin passwords, without luck.

Weirdly, some users have reported that their file structure appears to be intact, leaving the drive full of empty folders. Others have confirmed that their drives only have the default folder that’s present when you switch it on for the very first time.

Because WD My Book devices are stored behind their own firewalls, and allow remote access via the My Book Live cloud servers, some users have expressed concerns that WD’s servers have been hacked. This is a very reasonable concern to have.

However, WD’s official statement claims that its cloud services and servers do not appear to have been compromised. Instead, the resets are being blamed on “malicious software," and WD clarified in a statement to BleepingComputer that affected devices have been “comprised by a threat actor." 

Evidently, the wiped WD My Book Live devices are being affected by someone exploiting a known vulnerability in the device’s software. This vulnerability allows for root remote command execution by anyone who knows the IP address of any unpatched device — which can be learned from an internet scan.

WD has confirmed that this issue is the result of the vulnerability being exploited on a large scale. To make matters worse, it seems as though the problem was never patched when it was discovered and publicized in 2018. WD states in its official statement that the affected drives received their last firmware update in 2015.

WD’s official advice is still to disconnect your My Book Live drives from the internet, and prevent your data being wiped. It’s unclear if a patch will be made available to prevent this problem from escalating further.

Update: A second, zero-day flaw used

Ars Technica, together with the security firm Censys, took a closer look at the log files from wiped My Book Live drives and found evidence that a second flaw, one previously unknown to Western Digital, was used in the attacks. 

Furthermore, the wiping of the drives may have been the result of an attempt by a second attacker to sabotage or steal the work of the first attacker.

The second flaw is what permits a remote user to factory-reset the drive. This is possible because protective code that forces a remote user to enter a password before factory-resetting a drive has been disabled. It has been simply "commented out" with special characters so that it is readable but will not execute. 

It is not clear why such an important function in the WD My Book Live's firmware would have been deliberately disabled, either during initial release or during a firmware update, but that is what appears to have happened. The last firmware updates for these drives was in 2015.

In fact, the Censys post argues that the WD My Book Live drives were hit by two different attackers. The first used the known vulnerability mentioned above to embed botnet code on the drives, but did not wipe the drives. Factory-resetting the drives would have wiped the botnet malware as well.

The second attacker used this new, previously unknown flaw to factory-reset the drives, perhaps as part of a personal dispute with the first attacker or as part of an attempt to "steal" them into a different botnet. While the first attack may have gone undetected by the drive owner/user indefinitely, the second attack was very blatant.

Either way, the advice is the same: Take your WD My Book Live networked hard drive off the internet.

TOPICS
Tom Pritchard
UK Phones Editor

Tom is the Tom's Guide's UK Phones Editor, tackling the latest smartphone news and vocally expressing his opinions about upcoming features or changes. It's long way from his days as editor of Gizmodo UK, when pretty much everything was on the table. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining about how terrible his Smart TV is.