Alarming Western Digital My Book Live Hack Reportedly Involved Two Dueling Security Exploits
Last week, hundreds if not thousands of My Book Live customers awoke to their devices being wiped and, in some cases, unrecoverable. At that time, it was simply thought that Western Digital had not patched a critical vulnerability from 2018 that allowed attackers to do this, but it seems there is more to the story than initially thought.
On June 23rd, WD Community Forum user sunspeak created a forum post that would ultimately spearhead the community outcry over the wiping of My Book Live devices. There have now been over 46,000 views and 763 replies on that post at the time of writing, some of which have devolved into fighting whether a company can just "end-of-life" (EOL) a product and not support it when there are glaring security issues. In any case, it seems the unpatched 2018 vulnerability was not the only thing at play here.
We now know that the attackers were using the 2018 vulnerability to download a malicious payload, run it, and join the WD My Book Live devices to a botnet, as researchers at Censys explain. Then, the attacker password-protected their way in so, in theory, no one else could come in and take their work to build the botnet. However, this does not explain why some users found that their devices were being factory reset.
As it turns out, the mass device wipes are part of a separate unauthenticated 0-day vulnerability in an endpoint named system_factory_restore, which does what the name implies. When the Censys team unpacked the firmware Western Digital shipped and looked at this endpoint, they surprisingly found the “authentication code commented out (disabled) at the top.” In short, this means a simple request to this endpoint would trigger the factory restore process without any authentication.
It is speculated that the mass-device wiping that occurred “could be an attempt at a rival botnet operator to take over these devices or render them useless, or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015.” Whatever the case is, there are still 55,348 WD My Book Live devices across the internet that Censys has detected, many of which are still being compromised by malware and may be wiped soon after. Thus, Western Digital My Book Live owners need to be incredibly careful with their devices and pull them offline, as they are now caught in the destructive crossfire of hackers. Moreover, Western Digital needs to make a move before this spirals out of control entirely, if it has not already.