URGENT DISCONNECT ALERT: Western Digital Drives Being Wiped
Western Digital has issued an urgent alert for owners of My Book Live and My Book Live Duo device to disconnect their devices after several owners had their complete drives wiped.
An investigation by the US Company has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.
The Company who also make SanDisk SD cards are recommending that customers unplug their My Book Live storage devices from the Internet until further notice while company engineers investigate unexplained compromises that have completely wiped data from devices around the world.
The mass incidents of disk wiping came to light in this thread on Western Digital’s support forum.
So far, there are no reports of deleted data later being restored.
An email sent to customers over the weekend claims that the Company has limited information available at the moment making it hard for their engineers to determine what is causing this mass data destruction.
The advice to unplug devices while the investigation continues is warranted, and users should follow it as soon as possible.
We have issued the following statement to our customers and will provide updates to this thread when they are available: https://community.wd.com/t/action-required-on-my-book-live-and-my-book-live-duo/268147.
“It is very scary and devastating that someone can do factory restore on my drive without any permission granted from the end user,” one user wrote. “I need a remedy to this issue immediately as this is already incurring a great cost to me.”
Multiple users reported that the data loss coincided with a factory reset that was performed on their devices. One person posted a log that showed unexplained behaviour occurring on Wednesday:
Jun 23 15:14:05 My Book Live factoryRestore.sh: begin script:
Jun 23 15:14:05 My Book Live shutdown : shutting down for system reboot.
Jun 23 16:02:26 My Book Live S15mountDataVolume.sh: begin script: start.
Jun 23 16:02:29 My Book Live _: pkg: wd-nas
Jun 23 16:02:30 My Book Live _: pkg: networking-general
Jun 23 16:02:30 My Book Live _: pkg: apache-php-webdav
Jun 23 16:02:31 My Book Live _: pkg: date-time
Jun 23 16:02:31 My Book Live _: pkg: alerts
Jun 23 16:02:31 My Book Live logger: hostname=MyBookLive
Jun 23 16:02:32 My Book Live _: pkg: admin-rest-api
“I believe this is the culprit of why this happens,” the person wrote. “No one was even home to use this drive at this time.”
The email to owners of their devices states that their investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised.
As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.
We understand your data is very important. Some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.
We are continuing our investigation and will post the latest information about this incident on our Product Security Portal. For further assistance, you can contact our Customer Support team.