WD My Book Live storage drives are being remotely wiped — disconnect yours now

WD My Book Live storage drives are existence remotely wiped — disconnect yours now

(Prototype credit: WD)

Updated with new data nearly a 2nd, previously unknown flaw that was exploited during the set on(south) on WD My Book Alive drives. This story was originally published June 25, 2021.

Do you take a WD My Book Live network storage drive? Well, you better disconnect it from the cyberspace immediately, or you could lose all your precious data.

WD has warned that some users accept been finding their data has been wiped, despite no action on their part. Apparently this is due to some "malicious software" doing the rounds, and the company is advising users to disconnect their drives from the cyberspace right away.

The all-time deject storage in 2021: The all-time premium, business concern, and free plans
How to choose a cloud storage and backup provider
Plus: iPhone xiv rumor has me worried about the iPhone xiii — hither's why

A number of WD My Volume Live owners have confirmed that their devices received a remote command to perform mill resets, starting yesterday afternoon and continuing through the night.

Affected users have since discovered that they have lost all their data, and many of them are unable to log back into the drive via both the web browser and app portals. And yes, they did effort the usual default admin passwords, without luck.

Weirdly, some users take reported that their file structure appears to be intact, leaving the bulldoze full of empty folders. Others have confirmed that their drives simply have the default folder that'southward nowadays when you lot switch it on for the very first time.

Because WD My Book devices are stored backside their own firewalls, and allow remote admission via the My Book Live cloud servers, some users have expressed concerns that WD's servers have been hacked. This is a very reasonable concern to take.

However, WD's official argument claims that its deject services and servers practice not announced to have been compromised. Instead, the resets are being blamed on "malicious software," and WD clarified in a statement to BleepingComputer that afflicted devices have been "comprised by a threat histrion."

Evidently, the wiped WD My Book Live devices are being affected by someone exploiting a known vulnerability in the device's software. This vulnerability allows for root remote command execution by anyone who knows the IP address of whatsoever unpatched device — which can be learned from an cyberspace scan.

WD has confirmed that this issue is the issue of the vulnerability beingness exploited on a large scale. To make matters worse, it seems as though the trouble was never patched when it was discovered and publicized in 2018. WD states in its official argument that the affected drives received their final firmware update in 2015.

WD'south official advice is still to disconnect your My Book Alive drives from the internet, and prevent your information being wiped. Information technology's unclear if a patch will be made available to prevent this problem from escalating farther.

Update: A second, nil-24-hour interval flaw used

Ars Technica, together with the security firm Censys, took a closer look at the log files from wiped My Book Live drives and found bear witness that a 2d flaw, 1 previously unknown to Western Digital, was used in the attacks.

Furthermore, the wiping of the drives may accept been the result of an attempt by a 2nd attacker to sabotage or steal the work of the first assaulter.

The second flaw is what permits a remote user to factory-reset the drive. This is possible because protective code that forces a remote user to enter a countersign before mill-resetting a drive has been disabled. It has been but "commented out" with special characters so that it is readable just will not execute.

Information technology is not articulate why such an important function in the WD My Book Live's firmware would have been deliberately disabled, either during initial release or during a firmware update, but that is what appears to accept happened. The last firmware updates for these drives was in 2015.

In fact, the Censys post argues that the WD My Book Live drives were hit by 2 different attackers. The first used the known vulnerability mentioned above to embed botnet lawmaking on the drives, simply did not wipe the drives. Factory-resetting the drives would have wiped the botnet malware as well.

The second assailant used this new, previously unknown flaw to factory-reset the drives, perchance as part of a personal dispute with the first attacker or as part of an attempt to "steal" them into a unlike botnet. While the get-go set on may have gone undetected by the bulldoze owner/user indefinitely, the second attack was very blatant.

Either fashion, the advice is the aforementioned: Take your WD My Book Live networked difficult drive off the net.

More than: These are the best external hard drives you lot can buy right now

Tom is the Tom's Guide'south Automotive Editor, which means he can usually be found genu deep in stats the latest and best electric cars, or checking out some sort of driving gadget. It'southward long manner from his days as editor of Gizmodo UK, when pretty much everything was on the table. He's usually found trying to squeeze another giant Lego set onto the shelf, draining very big cups of coffee, or complaining that Ikea won't allow him buy the stuff he really needs online.