WD My Book Live users wake up to find all their data deleted

[bcredeur97]

8 hours ago, CerealExperimentsLain said:

"Why do you back things up to BluRay, Lain?"

"Because that's a proper long term cold storage media with vast shelf life improvements over CDR and DVDR."

"Why not use hard drive's on a shelf, Lain?"

"Because even a hard drive used as cold storage, you have to trust the system you connect it to to not attack the drive the moment you connect it to.  BDR is write once.  The system can't erase it no matter how badly it wants to."

 

-snip-

AND... it's the only medium that could survive an apocalyptic horrid solar flare event

I love optical media it never should of died off the way it did everyone should be using it.

[Spotty]

32 minutes ago, leadeater said:

I disagree that it's negligence, once an EOL is issued it's on you. I agree it's better to do a final firmware if possible but that's a really big assumption that such features can actually be disabled without also disabling function of the product that people want to use if they keep using it.

 

The negligence part is continuing to use an unsupported device that has inbuilt cloud connectivity like this. If something comes with it originally the only safe thing to assume is it will be there and active forever as that was how the device was designed to be, consideration for it to not be would not have been be done when designing the product.

 

It's your device, it's your data, it's your responsibility. Criticism I have for manufacturers and companies is the poor job at communicating that something is EOL, I would bet 99.99% of people using it would have had no idea.

 

Edit:

But my main and original point was security theatre does nothing, it makes you feel nice but it doesn't change reality. At best it's a CYA for WD and even then it doesn't really make them not look any worse. People would have still lost data and those people were using WD devices, WD is SOL no matter what, affected consumers too.

What are you proposing customers do when their product is no longer supported by the manufacturer? Throw them all in the bin the moment WD stopped issuing updates? Keep in mind the people who bought these in the first place bought them because of the "plug and play" simplicity of the device. They're likely not network engineers that know or care to secure their network against vulnerabilities they likely don't even know about.

These weren't hard drives sold 35 years ago either where most have either failed or been replaced by now and where only a few people who refuse to update were still running them. These were sold relatively recently and are otherwise perfectly usable storage drives. 

[CerealExperimentsLain]

2 hours ago, bcredeur97 said:

AND... it's the only medium that could survive an apocalyptic horrid solar flare event

I love optical media it never should of died off the way it did everyone should be using it.

Tape is faster, cheaper and far more dense, but you have to take care of tape.  It has narrow environmental tolerances, every read causes physical wear, the drive may eat the tape in a malfuction, and it's far from immune to a nice magnet.

A BDR, you're pretty much good if you keep it out of prolonged direct sunlight, don't put it in the microwave, set it on fire or hit it with a hammer.

[lostcattears]

If they didn't issue a patch, it is on WD... Sure it might have reached a EoL but lots of Big Name companies still issue security patches for things such as these. Then it would be up to the consumer to update it and then it would be their fault.

 

There is a case on hand, but this really doesn't look good for WD

[Delnith]

It makes you wonder....as time goes on, the amount of data every individual has presumably will increase. We can assume that hard drive sizes do as well. BUT at what point should the typical person more closely consider a NAS vs External hard drive, vs cloud solution instead of just picking something up off the shelf. Vulnerability aside, it goes to show many people, although they are creating copies of their data into what they think is a "backup", do not truly appreciate what control they have or do not have over their data. It is making me re-evaluate what options I will consider moving forward.

[Jet_ski]

14 hours ago, Chris Pratt said:

Definitely. Unfortunately, manufacturers market these products as advantageous for their ease of use and internet connectedness, without disclosing the potential downsides. There's a lot of people that know nothing about technology, but still need things like data backup solutions. Stories like these, while tragic, do help to educate the public at large, and hopefully people will take note.

Also ppl who buy external drones usually want to use them fir backup. Who wants their backup connected to the internet?! People who do just pay for cloud storage!

[Jet_ski]

1 hour ago, CerealExperimentsLain said:

Tape is faster, cheaper and far more dense, but you have to take care of tape.  It has narrow environmental tolerances, every read causes physical wear, the drive may eat the tape in a malfuction, and it's far from immune to a nice magnet.

A BDR, you're pretty much good if you keep it out of prolonged direct sunlight, don't put it in the microwave, set it on fire or hit it with a hammer.

You know what’s even better? This

[RejZoR]

Isn't the point of cloud to be a secondary layer, not primary? You know, if HDD fails you still have cloud backup? Why would cloud delete the local one?

[leadeater]

6 hours ago, Spotty said:

What are you proposing customers do when their product is no longer supported by the manufacturer? Throw them all in the bin the moment WD stopped issuing updates?

The problem stems from the design itself, and there isn't a good solution to it other than to not do it. A product like this that implements a remote command and control capability is an ongoing liability and risk which only gets worse when it's unsupported.

 

If you have the knowledge and capability to block it, i.e. at router/firewall, then that should be done but like people actually installing firmware updates on to these devices that group is small. So sadly yes the only solution to devices with this is to stop using them.

 

Companies like WD should make the devices so that it is easy to remove the HDD from within it, offer existing customer upgrade programs and diskless purchase options so you can either upgrade at a cheaper price (existing customer benefit program) or bring your own HDD. Far as I can see they did for the Duo model, not sure about the single disk model.

 

 

6 hours ago, Spotty said:

They're likely not network engineers that know or care to secure their network against vulnerabilities they likely don't even know about.

And that is why I said the majority would have had no idea it was unsupported. Whether people do or want to agree or not unless companies find a way to improve information flow to customers about these things them having created a firmware patch is effectively pointless. I want to be really clear here that there is a difference between simply feeling better because a company did something and it actually being effective at all. If the end result would have been the same regardless then I say have a re-think about the situation as a whole. Blame gaming is rarely productive.

 

6 hours ago, Spotty said:

These were sold relatively recently and are otherwise perfectly usable storage drives. 

Correct but a fundamental design flaw is a fundamental design flaw. Pretty much the solution to these such things is to have never done it in the first place. It's really bad on the consumer and that's where these product engineers should take more care and consideration in to if they should actually implement something, not if they can. Is this actually safe to do, what are the long term risks. Threat analysis should be part of every piece of technology product design now days.

[leadeater]

Also as an additional note it sounds like the people that were affected are also the ones that should have potentially known better, or how to mitigate the risk, or how to install firmware updates (if there were actually one).

 

Quote

We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.

Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.

https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo

 

I'm a little skeptical UPnP would have actually configured such a forwarding rule to the main web interface of this so my suspicion is it's only those who setup a port forward on their routers.

[Forbidden Wafer]

8 hours ago, leadeater said:

I'm a little skeptical UPnP would have actually configured such a forwarding rule to the main web interface of this so my suspicion is it's only those who setup a port forward on their routers.

Upnp is cancer. The safe and reasonable default is disabled on the gateway, but most come with it enabled. 

[Mark Kaine]

Did i get this right? u buy cloud storage and after 3 years they just delete it? whats the point of this then? did they disclose on the package that this solution would be only good for "~3 years"…?

 

 

8 hours ago, leadeater said:

I'm a little skeptical UPnP would have actually configured such a forwarding rule to the main web interface of this so my suspicion is it's only those who setup a port forward on their routers.

Ah, i always thought Upnp is inherently insecure… thats not the case? What makes it secure then?

 

 

[leadeater]

2 minutes ago, Mark Kaine said:

Ah, i always thought Upnp is inherently insecure… thats not the case? What makes it secure then?

It is bad but UPnP doesn't just open ports willy nilly (well it sort of does but still lol). The device has to initiate it and I'm skeptical that NAS type device is requesting a port forward to a private administrative web interface.

[Mark Kaine]

5 minutes ago, leadeater said:

It is bad but UPnP doesn't just open ports willy nilly (well it sort of does but still lol)

Yeah, thats about what i knew about it… lol.

 

6 minutes ago, leadeater said:

The device has to initiate it and I'm skeptical that NAS type device is requesting a port forward to a private administrative web interface.

Ah ok, so it generally opens a port when a local "device"  , say a game, requests it?   And that is still bad because an attacker could then use this open port, but it doesnt just open ports due to outside requests?

[Forbidden Wafer]

9 minutes ago, leadeater said:

The device has to initiate it and I'm skeptical that NAS type device is requesting a port forward to a private administrative web interface.

Their default password being "admin" also didn't help.

[Mark Kaine]

2 minutes ago, Forbidden Wafer said:

Their default password being "admin" also didn't help.

hey, thats still a big improvement over the password being "password"!

[wanderingfool2]

25 minutes ago, leadeater said:

It is bad but UPnP doesn't just open ports willy nilly (well it sort of does but still lol). The device has to initiate it and I'm skeptical that NAS type device is requesting a port forward to a private administrative web interface.

Well the device definitely was opening external ports with uPNP.  From their user manual

Quote

The My Book Live drive attempts to configure the network to allow direct connections whenever possible. Some networks do not support the UPnP protocol, which My BookLive uses for those configurations. If you desire a direct connection instead of a relay, consult your router operating guide to determine UPnP compatibility.Additionally, some ISPs implement "double-NATing," which renders your router's IP address unreachable for direct connection (port forwarding). Inthis situation, consult your ISP for alternatives to enable port-forwarded connections.

By the looks of things glancing over it all, it seems as though it serves up the connection to access your files "from the cloud" by acting as the webserver, which is where it seems the vulnerability exists in.  So I wouldn't be surprised if the CVE from 2018 was referring to access that is given to the internet facing device.

 

As a note as well...when the flaw was discovered in 2018, WD's response was this

Quote

The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012. These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle. We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.

Any company selling to the general uninformed consumer, with the concept that it's pretty much plug and play should not expect their customers to know that they have to configure the firewall to prevent remote access.  Actually as a whole, devices like this should have auto-update features and the last update should block features such as uPnP that opens it up for attack.  If customers want to assume the risk, then they can try figuring out how to port forward...but if they aren't skilled enough to do that, then it's a good thing they lose access to the feature.

[thewelshbrummie]

This is pretty bad tbh. I don't have one but have suffered data loss in the past so I can testify that it's really not fun trying to work out what you've lost in the process. And that was back in 2007/8 so only lost around 15GB of mainly replaceable data, vs 2TB of photos that some have lost in this incident.

 

From what I've read about this:

• Support for these devices ended in 2015, with the last firmware update being the same year.
• In 2018, there was a report that these devices were among those that were vulnerable to an external attack, with NIST.gov giving this a critical security rating of 9.8 out of 10. WizCase did some analysis at the time that is beyond me, link for anyone interested. The gist is that root access was pretty much available to anyone who knew the ip address of someone with a device connected to it. They didn't need anything else, just the ip address was enough to get full access.
• This week - someone targeted some or all of those harvested ip addresses from various locations at different times to use this attack vector to send a factory reset command to Mybook Live devices.
• The cause appears to be a trojan loaded onto the devices to force the reset, but whether that injected juts prior to the attack or years ago is an unknown (though it's clearly possible since the vulnerability was published 3 years ago).

WD did appear to respond to the 2018 report, but I can't answer for whether they contacted customers to warn them of the risks of keeping these drives online - certainly they have a list of affected customers as they have sent emails out to affected users.

 

I don't know enough about EXT2/EXT3 but I know it's widely used on NAS drives and in TV PVR boxes - and in the case of the few HDDs from PVRs that I tried, I never had success in recovering data from them. Hope there's a good solution for this but I'm not optimistic. And if WD failed to contact customers back in late 2018 when the exploit was published (around a YEAR after it was discovered) then lawsuits will probably be incoming. The thing is WD probably should have patched this regardless - for context my old iPod is stuck on ios 12 but still got a security update last week, so it's not beyond reasonable thinking that WD should have dealt with something this serious.

 

One interesting thing I spotted is that someone had Netgear Armor & it blocked connections to their Mybook Live so their unit is luckily unaffected. It appears to be a subscription service - not sure I'd go that route myself but I'm sure that user is very happy to have paid whatever they've spent just to avoid this incident.