It looks like there may have been more than one exploit used to cause the mass deletion of data from WD My Book Live NASes last week, according to a report from Ars Technica. When news broke that people were finding that their data was missing, some (including WD itself), pointed to a known exploit from 2018, which allowed for root access of the device. However, it appears as though there’s more going on than was initially suspected.
If you have one of these devices, you should unplug it from the internet before reading any further — it’s clear at this point that your data is at risk if the device is online.
The second exploit, reported by Ars Technica, doesn’t give an attacker full control over the device like the other exploit. It just allows them to remotely wipe the device without having to know the password. According to a security advisory from WD, the vulnerability was introduced in 2011, which is only a year after the drives were introduced. Analysts found that there was code that could’ve prevented the issue, but that it was commented out (or de-activated), so the software didn’t run authentication when asked to do a factory reset.
WD says in its post that the code that was deactivated was intentional, and was due to the company refactoring how the authentication was done on the device. However, the company says the exploit was introduced when the refactor failed to add the correct authentication type, resulting in the vulnerability.
The question still remains, though, as to why hackers decided to factory reset the devices. Ars Technica has a wild theory, based on analysis by security firm Censys: the data deletion happened as the result of a fight between hackers, with one botnet owner potentially trying to take over or disrupt another’s. One hacker (or group of hackers) was using the known exploit to control the devices for some nefarious purposes. Then, another entity used the unknown remote wipe exploit to erase those devices. It likely would’ve removed the first entity’s access to the hardware — but users’ data was caught in the crossfire.
The theory does make sense, given the competing nature of the exploits used. (Why would a hacker burn a previously unreported exploit to factory reset the machines after already having root access?) That said, in WD’s security advisory it says that, in some cases, it was the same party that used both exploits. In a statement to Ars, WD said it was “not clear why the attackers exploited both vulnerabilities.”
Also included in WD’s update is a plan to help My Book Live owners: the company will be providing data recovery services (which a spokesperson told Ars would be free), and offering a trade-in program that will allow customers to get a device that’s currently receiving software support.
Updated June 30th 2:40AM ET: Updated with new information from an update to WD’s security advisory, which offers an explanation for the commented-out authentication code.