WD My Book Live users wake up to find all their data deleted

[Chris Pratt]

 

Summary

A number of WD My Book Live owners have had their drives remotely wiped. 

 

Quotes

Quote

 Western Digital, maker of the popular My Disk external hard drives, is recommending customers unplug My Book Live storage devices from the Internet until further notice while company engineers investigate unexplained compromises that have completely wiped data from devices around the world.

 

The mass incidents of disk wiping came to light in this thread on Western Digital’s support forum. So far, there are no reports of deleted data later being restored.

 

My thoughts

This is a cautionary tale for both the dangers of connected devices and always having multiple separate backup locations for your important data. You definitely should not store any important data solely on a resource connected to the Internet. Really unfortunate for the people this happened to, though. Some reportedly have lost years of work or personal memories.

 

Sources

• https://arstechnica.com/gadgets/2021/06/mass-data-wipe-in-my-book-devices-prompts-warning-from-western-digital/
• https://www.pcmag.com/news/unplug-my-book-live-devices-immediately-to-avoid-your-data-being-erased
• https://community.wd.com/t/action-required-on-my-book-live-and-my-book-live-duo/268147

[Levent]

It seems there was a CVE released in 2018 for those device. Class action lawyers ASSEMBLE.

[Fasterthannothing]

1 hour ago, Levent said:

It seems there was a CVE released in 2018 for those device. Class action lawyers ASSEMBLE.

2018! Good grief that's why you don't use off the shelf cloud solutions. Buying something, unpacking it, and plugging it into the internet and it just works is creating an automatic attack vector and vulnerability.

[Chris Pratt]

1 hour ago, SlidewaysZ said:

2018! Good grief that's why you don't use off the shelf cloud solutions. Buying something, unpacking it, and plugging it into the internet and it just works is creating an automatic attack vector and vulnerability.

Definitely. Unfortunately, manufacturers market these products as advantageous for their ease of use and internet connectedness, without disclosing the potential downsides. There's a lot of people that know nothing about technology, but still need things like data backup solutions. Stories like these, while tragic, do help to educate the public at large, and hopefully people will take note.

[tkitch]

3 hours ago, Levent said:

It seems there was a CVE released in 2018 for those device. Class action lawyers ASSEMBLE.

unlikely to be a class action.  

 

It's an old device, like old enough that Windows 10 isn't officially supported old.

 

Now, while that doesn't mean WD should have ignored it, all devices get dropped by support eventually, and this is totally a reasonable age for that to have happened.  

[Chris Pratt]

23 minutes ago, tkitch said:

unlikely to be a class action.  

 

It's an old device, like old enough that Windows 10 isn't officially supported old.

 

Now, while that doesn't mean WD should have ignored it, all devices get dropped by support eventually, and this is totally a reasonable age for that to have happened.  

Depends. I'm not that familiar with this device, but presumably there's still active online features that made the remote wipe possible. If you're going to maintain support for that much, you need to patch security vulnerabilities, as well. If you, as a manufacturer, don't want to support a device like this any longer then you need to disable the online features of it, so it's just becomes a standard hard drive.

[tkitch]

1 minute ago, Chris Pratt said:

Depends. I'm not that familiar with this device, but presumably there's still active online features that made the remote wipe possible. If you're going to maintain support for that much, you need to patch security vulnerabilities, as well. If you, as a manufacturer, don't want to support a device like this any longer then you need to disable the online features of it, so it's just becomes a standard hard drive.

it sounds like the exploit was a shell script.  So I suspect that enough IP Scanning would find them and let a bit find and execute with little human interaction.  

 

My read seems to point toward "there is no WD Managed infrastructure" 

[Tieox]

Someone, somewhere is getting so fired.

[Chris Pratt]

1 minute ago, tkitch said:

it sounds like the exploit was a shell script.  So I suspect that enough IP Scanning would find them and let a bit find and execute with little human interaction.  

 

My read seems to point toward "there is no WD Managed infrastructure" 

But they could have patched the firmware to close the ports. Again, if you're going to kill it, kill it. Leaving it open and unpatched is negligence.

[tkitch]

Killing "working hardware" would cause a suit they would lose, though.

 

Announcing the end of life, etc etc. is standard practice.  Use at your own risk after that,

 

Why would a company produce a new firmware for a device they had announced the EOL for more than 3 years prior?  I can't imagine the established user base is /that/ large.

[WolframaticAlpha]

If EA makes hard drives, they will implement it as a feature, so when you don't pay your subscription, you lose all your data

[CerealExperimentsLain]

"Why do you back things up to BluRay, Lain?"

"Because that's a proper long term cold storage media with vast shelf life improvements over CDR and DVDR."

"Why not use hard drive's on a shelf, Lain?"

"Because even a hard drive used as cold storage, you have to trust the system you connect it to to not attack the drive the moment you connect it to.  BDR is write once.  The system can't erase it no matter how badly it wants to."

 

[CerealExperimentsLain]

26 minutes ago, WolframaticAlpha said:

If EA makes hard drives, they will implement it as a feature, so when you don't pay your subscription, you lose all your data

That's called 'Cloud Storage'.

 

Like sure they won't delete it right away but I'm sure in some years we'll have stories of people who thought they had backed stuff up in the cloud and forgotten about it only to have never updated their payment info or something and the host deleted it years ago.

[Chris Pratt]

1 hour ago, tkitch said:

Killing "working hardware" would cause a suit they would lose, though.

 

Announcing the end of life, etc etc. is standard practice.  Use at your own risk after that,

 

Why would a company produce a new firmware for a device they had announced the EOL for more than 3 years prior?  I can't imagine the established user base is /that/ large.

No. Sorry, I wasn't clear. I meant killing the online features, not the whole drive. Based on what you said, it seems they had already killed the online stuff on their end, but then they left the drives with open ports and unpatched security vulnerabilities. That's the issue.

[Roswell]

43 minutes ago, CerealExperimentsLain said:

"Why do you back things up to BluRay, Lain?"

"Because that's a proper long term cold storage media with vast shelf life improvements over CDR and DVDR."

"Why not use hard drive's on a shelf, Lain?"

"Because even a hard drive used as cold storage, you have to trust the system you connect it to to not attack the drive the moment you connect it to.  BDR is write once.  The system can't erase it no matter how badly it wants to."

 

Optical recordable media is pretty much the least reliable method of data storage.

 

Those things could be unreadable in a few years, maybe 10 if you’re lucky… Literally any other medium lasts longer.

[CerealExperimentsLain]

8 minutes ago, Roswell said:

Optical recordable media is pretty much the least reliable method of data storage.

 

Those things could be unreadable in a few years, maybe 10 if you’re lucky… Literally any other medium lasts longer.

This is a common misconception based on experiences with CDR and DVDR and then people forwarding that expectation to 'All Optical Media'.  It's simply ignorance of technology.

 

CDR and DVDR used organic dyes as their data layers and they were never really the most shelf stable so are vulnerable to accelerated death depending on manufacture, storage condition and good old fashioned bad luck.  The BluRay Recordable disc on the other hand did away with all of this, BDR is made entirely of shelf stable metal alloy data layers that change phase, resulting in reflectivity changes, when heated by the laser instead.  The technology is remarkably shelf stable.  It's just that almost no one knows this because almost no one ever used BDR.  Most people moved from DVDR to flash storage and the cloud.

 

These 128GB quad layer BDXL discs?  They're the same thing used in Sony's Gen 1 Optical Disc Archive 1.5TB cartridges.  This is a 50y rated cold storage platform  No, literally, you can disassemble the cartridge and extract 12 discs that will run in a standard consumer BDXL drive.  They have the same media codes even.  This is because Sony is the only manufacturer of 128GB discs on the planet and they only have a single production line, they fork them off between ODA, some XDCAM products and these consumer discs.  Nifty stuff.  ...Also expensive AF.

 

https://pro.sony/en_FI/products/optical-disc-archive-cartridges/optical-disc-archive-cartridge-generation-1

[wanderingfool2]

5 hours ago, tkitch said:

Killing "working hardware" would cause a suit they would lose, though.

 

Announcing the end of life, etc etc. is standard practice.  Use at your own risk after that,

 

Why would a company produce a new firmware for a device they had announced the EOL for more than 3 years prior?  I can't imagine the established user base is /that/ large.

Yes and no.  If they stopped selling the devices in 2015, and the vulnerability was found in 2018 then they should still support it.  For internet connected devices that are meant to store important information and be accessed remotely it really should have more than 3 years of support.  Actually, I would argue that it should have closer to 10 years of support for critical vulnerabilities.  Similar to how Microsoft issued a patch for the eternal blue for XP.  Especially given that these products are being sold to consumers that likely won't know better.

 

At least if they are going to end firmware support, I think they should have put up warnings or have a firmware that gives the option to disable (while keeping other features).

[Forbidden Wafer]

When you look to the side and find out it is not your model.

[leadeater]

7 hours ago, Chris Pratt said:

Based on what you said, it seems they had already killed the online stuff on their end, but then they left the drives with open ports and unpatched security vulnerabilities. That's the issue.

Almost anything could have "unpatched vulnerabilities", that's not the issue at all. Once a device is no longer support it's not support, anything unpatched and unknown will stay that way forever in time unless, and this is the danger part about unsupported hardware and software, the vulnerability is discovered but it's not supported so it will not get patched.

 

Unsupported hardware and software really only have two states

1. Has vulnerability that are not known
2. Has vulnerabilities that are known

If you so choose to run unsupported hardware or software it's actually on you to figure out how to mitigate such risk.

 

Also while sure it sounds great if a final firmware release was created that disabled all cloud/network features like this but that's just security theatre, next to zero consumers would actually apply the firmware update. The educated and diligent few would benefit and be secure, so not really a direct reason to not do it so these people can, but realism at play little would change.

[Chris Pratt]

2 minutes ago, leadeater said:

Almost anything could have "unpatched vulnerabilities", that's not the issue at all. Once a device is no longer support it's not support, anything unpatched and unknown will stay that way forever in time unless, and this is the danger part about unsupported hardware and software, the vulnerability is discovered but it's not supported so it will not get patched.

 

Unsupported hardware and software really only have two states

1. Has vulnerability that are not known
2. Has vulnerabilities that are known

If you so choose to run unsupported hardware or software it's actually on you to figure out how to mitigate such risk.

 

Also while sure it sounds great if a final firmware release was created that disabled all cloud/network features like this but that's just security theatre, next to zero consumers would actually apply the firmware update. The educated and diligent few would benefit and be secure, so not really a direct reason to not do it so these people can, but realism at play little would change.

Not really sure why this is so hard to understand. The point is that WD made a connected device. Then stopped all the connected features, but left the device wide open. I'm not talking about continuing support, but the least they could have done is issued a final firmware update to at least close the ports. This is neither complicated nor controversial.

[leadeater]

Just now, Chris Pratt said:

but the least they could have done is issued a final firmware update to at least close the ports.

 

7 minutes ago, leadeater said:

Also while sure it sounds great if a final firmware release was created that disabled all cloud/network features like this but that's just security theatre, next to zero consumers would actually apply the firmware update. The educated and diligent few would benefit and be secure, so not really a direct reason to not do it so these people can, but realism at play little would change.

^ Nothing would have changed, this would have still happened.

[Chris Pratt]

Just now, leadeater said:

 

^ Nothing would have changed, this would have still happened.

That's not the point. Providing a firmware update at least shifts the responsibility onto the user. WD still owns this because of their negligence and complete disregard to their customers safety and security.

[Mark Kaine]

This is what will happen with all "cloud" data connected stuff, hence im not using any.

Thats besides im not trusting any of the big corps with my pr0n or even save data… >.>

 

[leadeater]

12 minutes ago, Chris Pratt said:

That's not the point. Providing a firmware update at least shifts the responsibility onto the user. WD still owns this because of their negligence and complete disregard to their customers safety and security.

I disagree that it's negligence, once an EOL is issued it's on you. I agree it's better to do a final firmware if possible but that's a really big assumption that such features can actually be disabled without also disabling function of the product that people want to use if they keep using it.

 

The negligence part is continuing to use an unsupported device that has inbuilt cloud connectivity like this. If something comes with it originally the only safe thing to assume is it will be there and active forever as that was how the device was designed to be, consideration for it to not be would not have been be done when designing the product.

 

It's your device, it's your data, it's your responsibility. Criticism I have for manufacturers and companies is the poor job at communicating that something is EOL, I would bet 99.99% of people using it would have had no idea.

 

Edit:

But my main and original point was security theatre does nothing, it makes you feel nice but it doesn't change reality. At best it's a CYA for WD and even then it doesn't really make them not look any worse. People would have still lost data and those people were using WD devices, WD is SOL no matter what, affected consumers too.

[Kisai]

11 hours ago, SlidewaysZ said:

2018! Good grief that's why you don't use off the shelf cloud solutions. Buying something, unpacking it, and plugging it into the internet and it just works is creating an automatic attack vector and vulnerability.

Good thing I never bought these cloud versions.