Western Digital customers who had configured the company’s external hard drives to be remotely accessible are waking up to find all their data erased. WD has downplayed the problem, hiding its response in a support update. Should WD be addressing the problem more visibly, or is this a case of “buyer beware?”
According to Krebs on Security, some customers using WD’s “MyBook Live” product found all their data mysteriously and unrecoverably missing. The affected customers had used a feature to make their drives remotely accessible through the Internet. WD had stopped selling the vulnerable devices in 2014.
Western Digital’s response is hard to find
If you were looking for WD’s response to this issue, where would you look?
Here’s the company’s home page, with no indication that anything is awry.
Maybe it’s on the blog. Nope, nothing but promotional material and content marketing.
Is there a statement in the “Newsroom” section of the media site? No, all that’s there are promotional press releases and media kits:
Even if you dig deep down under “Support” for the affected products, you won’t find any useful information.
The “not our problem” update is tucked away in a support subsite
I only found Western Digital’s statement because it was linked in a news article. It’s under Support/Product Security. And it basically says “you’re screwed.”
Here’s the statement with my translation and commentary. I’ve added italic to indicate passive voice.
Recommended Security Measures for WD My Book Live and WD My Book Live Duo
Product Line: WD My Book Live and WD My Book Live Duo
Published: June 24, 2021
Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.
Translation: Because we didn’t make the devices secure enough, hackers can remotely tell them to erase all the data.
Commentary: Here’s a sentence written to avoid all responsibility: “devices are being compromised through exploitation of a remote command execution vulnerability.” That’s a long way to say “We screwed up.”
We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access. The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.
Additionally, the log files show that on some devices, the attackers installed a trojan with a file named “.nttpd,1-ppc-be-t1-z”, which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.
Translation: We’re still figuring out what went wrong.
Commentary: Nothing in these paragraphs helps users.
Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.
We understand that our customers’ data is very important. We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further. Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.
Translation: We don’t know yet if this is even worse than it appears. We don’t know why it happened. We don’t know if you can recover your data.
Commentary: There is still no apology here, nor a remedy. “We understand that customers’ data is very important” is the weakest possible statement of sympathy, and takes no responsibility.
At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device by following these instructions on our Knowledge Base.
We have heard customer concerns that the current My Cloud OS 5 and My Cloud Home series of devices may be affected. These devices use a newer security architecture and are not affected by the vulnerabilities used in this attack. We recommend that eligible My Cloud OS 3 users upgrade to OS 5 to continue to receive security updates for your device
Translation: Unplug it. If you have a more modern device, you’re probably safe, but you ought to upgrade.
Commentary: This advisory should start with a statement of the problem and the recommended solution. Why is the recommendation at the bottom?
WD may regret burying this update
It is true that these are older products that WD no longer supports. It’s also true that exposing your external hard drive to the Internet is a poor security practice.
Even so, I find WD’s behavior callous and cowardly.
WD introduced the vulnerability. It noticed the vulnerability in 2018. The consequences — losing all your data — are severe. But the response is buried and passive.
Would you trust a company that treats its customers like this? I wouldn’t.