Western Digital’s My Book Live devices offer the ability to set up a storage pool on the network without the hassle or expense of a full NAS box. It might seem like just what you need, but Western Digital seems to have missed a major and glaring bug. According to At Ars Technica, My Book Live owners around the world are reporting that their devices have been wiped from all data and Western Digital advises everyone to disconnect drives from the Internet for now.
WD stopped selling My Book Live devices several years ago, which connect to the router via Ethernet rather than USB. The issue surfaced in a WD community forum thread earlier this week. Usually, these threads have a smattering of interested individuals, with everyone else offering possible solutions. Here, almost every answer is someone else saying their data simply disappeared on June 23. Even those who managed to reset device passwords and access drives found that their files were long gone.
At first, everyone speculated that WD sent a bad firmware update, but the truth is even worse. Several users were able to extract the logs from the device which showed a “factoryRestore.sh” script running on the afternoon of June 23rd. Since My Book Live cases use encryption, there is probably no way to recover deleted data.
WD confirmed that its cloud infrastructure was not compromised, but the “threat actor” did not need to. My Book Live devices are found to have an unpatched vulnerability known as CVE-2018-18472. This is a type of severe exploit known as a remote command execution bug. All anyone needs is the IP address of the unit and they can trigger a factory reset. Western Digital recommends disconnecting drives from the Internet until further notice.
Unfortunately, logging off drives will only help those who haven’t already been hit by the wave of remote access cancellations. It could be argued that these people should have had backups and leaving an unsupported device connected to the internet is a bad idea, but this is a consumer device. Most people don’t think about the security implications when devices like My Book Live aren’t supported. It may be an older product, but WD really dropped the ball by letting this vulnerability go unpatched on My Book Live.