Another Exploit Hits WD My Book Live Owners (tomshardware.com) 50
While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers. Tom's Hardware reports: Initially, after the news broke on Friday, it was thought a known exploit from 2018 was to blame, allowing attackers to gain root access to the devices. However, it now seems that a previously unknown exploit was also triggered, allowing hackers to remotely perform a factory reset without a password and to install a malicious binary file. A statement from Western Digital, updated today, reads: "My Book Live and My Book Live Duo devices are under attack by exploitation of multiple vulnerabilities present in the device ... The My Book Live firmware is vulnerable to a remotely exploitable command injection vulnerability when the device has remote access enabled. This vulnerability may be exploited to run arbitrary commands with root privileges. Additionally, the My Book Live is vulnerable to an unauthenticated factory reset operation which allows an attacker to factory reset the device without authentication. The unauthenticated factory reset vulnerability [has] been assigned CVE-2021-35941."
Analysis of WD's firmware suggests code meant to prevent the issue had been commented out, preventing it from running, by WD itself, and an authentication type was not added to component_config.php which results in the drives not asking for authentication before performing the factory reset. The question then arises of why one hacker would use two different exploits, particularly an undocumented authentication bypass when they already had root access through the command injection vulnerability, with venerable tech site Ars Technica speculating that more than one group could be at work here, with one bunch of bad guys trying to take over, or sabotage, another's botnet. Western Digital advises users to disconnect their device(s) from the internet. They are offering data recovery services beginning in July, and a trade-in program to switch the obsolete My Book Live drives for more modern My Cloud devices.
Analysis of WD's firmware suggests code meant to prevent the issue had been commented out, preventing it from running, by WD itself, and an authentication type was not added to component_config.php which results in the drives not asking for authentication before performing the factory reset. The question then arises of why one hacker would use two different exploits, particularly an undocumented authentication bypass when they already had root access through the command injection vulnerability, with venerable tech site Ars Technica speculating that more than one group could be at work here, with one bunch of bad guys trying to take over, or sabotage, another's botnet. Western Digital advises users to disconnect their device(s) from the internet. They are offering data recovery services beginning in July, and a trade-in program to switch the obsolete My Book Live drives for more modern My Cloud devices.
Protection racket. (Score:4, Funny)
Western Digital advises users to disconnect their device(s) from the internet. They are offering data recovery services beginning in July, and a trade-in program to switch the obsolete My Book Live drives for more modern My Cloud devices.
Throw in some free credit monitoring and you have a deal.
Re: (Score:1)
Re: (Score:1)
Sensitive material should have been encrypted offline and not wide open on a cloud platform.
Nerd motto: Always blame the user.
Re: (Score:1)
Sensitive material should have been encrypted offline and not wide open on a cloud platform.
Nerd motto: Always blame the user.
This is a situation where blaming the user is the correct response. If you're stupid enough to attach your personal storage device to the internet without learning how to properly secure it, that's on you. The Internet's been around long enough that most of these people don't know a world without it. Security and vulnerabilities have been talked about for decades, and if you still do something this dumb, then yes, it's all on you. Would you leave a valuable package handbag or wallet sitting on the seat
Re: (Score:2)
Since this is a physical object that you put in your home that has your data on it, how many people realized they were putting it on the public net?
The people who should have known better work for WD.
Re: (Score:2)
Since this is a physical object that you put in your home that has your data on it, how many people realized they were putting it on the public net?
The internet has been in use for long enough that at this stage everyone should know better than to just willy nilly attach a storage device to the network and start loading it up with personal data, just like they should know better than to just click on some random link sent to them by someone they don't even know. ,/p>
The people who should have known better work for WD.
Yes, they should bear some of the responsibility, then again, at what point does personal responsibility just get thrown out the window?
Re: (Score:2)
I have several NFS shares on my LAN. They are not, however, available from the public internet. Most things you might plug in to your LAN are like that. The ED device goes out of it's way to be available on the public net.
The warning signs are there for a security professional to see. I suspect any network engineer would see it and many other people in the IT industry. But do you expect your Mom to know just by looking at it? Many people expect devices sold by well known companies to be safe. They don't exp
Re: (Score:2)
woosh!
Surprised? (Score:5, Insightful)
Connecting a hard drive directly to the internet? What could possibly go wrong?
shrug.
Re: (Score:2)
Re: Surprised? (Score:2)
"Might ask John McAfee about the 31 TB..."
Too late.
Re: Surprised? (Score:4, Funny)
"Might ask John McAfee about the 31 TB..."
Too late.
Too soon.
Re: (Score:2)
Re: Surprised? (Score:4, Informative)
Re: (Score:2, Informative)
Not just WD... QNAP had a big fiasco about ransomware a few months ago, because apparently their devices made a connection to their cloud, which let bad guys tunnel in and hit the Web interface, and an exploit there allowed devices to be ransomwared. A few years back, Synology had something similar with SynoLocker, but that got fixed, and Synology has arguably the best firewalling of all of them.
Re: (Score:3)
Not just WD... QNAP had a big fiasco about ransomware a few months ago, because apparently their devices made a connection to their cloud
I know it's beyond most home-user's skills and removes some of the cool features, but I can't be the only one who gives a NAS a static IP on my lan and then blocks that IP from having internet access at my router?
Re: (Score:2)
Become part of a P2P network. Gotta keep one's *cough* Linux distros somewhere.
Re: (Score:2)
it's like running your own dropbox/mega without having to pay for it, and without dropbox deleting all your pirated movies. how else would you stream them to your phone?
Re:Surprised? (Score:4, Insightful)
Using a platform that's more well maintained over time than the half-assed platform that a canned home 'internet hard drive' NAS device is generally locked into.
The throwaway software load running on 'My Book Live' is not a recipe for security or longevity. Instead a more hardware agnostic solution. Whether starting with a generic Linux distro like Ubuntu, Debian, or CentOS or a canned NAS platform like OpenMediaVault or TrueNAS, extending to 'cloud' enabled through something like nextcloud or seafile.
Re: (Score:2)
it's difficult to convince people of this when there are low-low prices to contend with. Security is an afterthought in consumer products in part because it's a low priority in the purchasing decisions of the consumers themselves.
Re:Surprised? (Score:4, Informative)
Millions of servers are connected directly to the internet, and most of them are fine... The problem here is that WD's software development practices are crap and they abandoned this hardware with known serious security flaws.
The real issue is that companies want to sell people servers but don't want to support them for the lifetime of the product.
Re:Surprised? (Score:4, Informative)
The real issue is that companies want to sell people servers but don't want to support them for the lifetime of the product.
What's the lifetime of this product? You'll note that WD is offering to replace these "obsolete" devices with newer devices. Kinda hints that they consider the lifetime of the device to be already over.
For my money, Internet-connected consumer NAS is a Bad Plan. Keeping up with the vulns is not something you can do passively, even if the vendor is supporting you with upgrades (which cheapo consumer products aren't getting, at least nowhere near at the frequency as enterprise products). If you want your files accessible on the Internet, a paid cloud provider seems much safer - though not completely safe of course.
Re:Surprised? (Score:4, Interesting)
WD should have stated what the lifetime of the product was clearly, and as soon as they found out about that security vulnerability back in 2018 they should have notified customers to disconnect. It's a cloud service (WD servers are used to connect clients to the right IP address) and the device itself checks for firmware updates regularly, so they had the means to contact everyone.
Ideally the end of support date needs to be on the box so people can see it when they buy the device. Then they can decide if it's worth the money for X years of service.
Re:Surprised? (Score:4, Insightful)
Re: (Score:3)
Now that many products depend on cloud services and security updates I think the law should change to mandate a stated, minimum service life. We are seeing stuff killed off or simply go unsupported very quickly and it's not what consumers expect, or what we should accept.
Re: (Score:3)
WD should have patched the vulnerability, or have perhaps de-functioned the device, where it doesn't connect to the Internet, or only connects to the local network, with some method of turning it back on, even if it meant SSH-ing in and adding a config file. That way, users know the device has expired and is not getting patches, but if they want to continue, it is still possible. Ideally, the software should be opened up, or some way of having a F/OSS firmware alternative provided, similar to alternative
Re: (Score:2)
Re: (Score:2)
Correct, and applies generically to 'appliance' class devices of any sort. The vendor slaps a meets minimum software load to move the hardware and then abandons it when they move on to the next product.
Always a good idea to consider whether a less 'appliance-y' option exists to use instead, with a track record of updates and supporting multiple generations of products from multiple vendors, indicating viable standard device interfaces and a maintenance effort.
Re: (Score:2)
In this case, it's called a hard drive. Buy a few. They're not that expensive. You can have data spread across several to prevent loss.
Re: (Score:2)
Yes, but this isn't Hard Drive' so much as it is a NAS but say 'internet hard drive' to not scare away the customers.
So you need something to manage how data gets to the network to the drive, which a general OS is fine by me, and for others so inclined there are NAS specific distributions that fit the bill.
Re: (Score:3)
Re:Surprised? (Score:5, Insightful)
For most organizations IT Staff is some of the highest paid staff (outside of the executive and management). The job requirements often require Degrees and/or Certifications and often would want some experience as well.
However they are often treated like the rest of the staff, where people are there to do a job, but not really concerned about their career.
When someone in your IT Team goes to you, that something is a bad idea, you really should listen to them, and seriously evaluate their concern, before jumping into the cool new Gizmo that the sales guy you had lunch with pushed on you.
You want to share data over the internet, your IT Staff can do that, they can probably do it much safer even though it may require you to enter in some additional credentials. Any good IT guy doesn't trust the Internet, or vendors who make a cloud tool, for something they can easily do in house.
For heavens sake listen to them, and you can save a lot of money and trouble in the future.
Re: (Score:2)
Old but relvlant XKCD (Score:2)
File Transfer [xkcd.com]
I find it odd, that it is still very difficult for us to have a common method to send a file from one PC to an other on a different network, Securely without needing to lean of black box solutions like a shared File Repository to work in the middle.
Re: (Score:2)
Of course you need some open device in between or your networks will be open to all sorts of attack vectors.
Occurrence Phenomena (Score:4, Insightful)
It is the phenomena in which an event which starts out as not merely theoretical, but perhaps even highly implausible goes through a transformation once a single event converts the theory in to reality.
For example, once the first reports of Spectre, the speculative execution vulnerability became public, a total of 8 variations - including the Rogue Data Cache Load that became known as Meltdown - were quickly identified.
It almost seems as though something similar is happening here with these Western Digital drives - last week we have the breaking story of a vulnerability... and now we have at least one additional issue being discovered. I don't think that there is anything suspicious or even unusual about this - if you're a malicious actor and you learn about a vulnerability being discovered, of course you're going to learn about it and go looking for variants.
I'm interested in this more from the perspective of wanting to give sound advice to my technology community when it comes to the idea of fixing vulnerabilities in systems before releasing them for general/public use. It's the idea that once you attract unwanted attention to your technology, it will be subjected to significant analysis and previously long-hidden issues could be found.
Does any other reader have knowledge of any research or analysis conducted in the phenomenon of "clumping" or "coalescing" of findings like this?
Vulnerable drive or shingled drive? (Score:3)
WD is offering their affected customers a Trade-In program to exchange their "My Book Live" drives for "My Cloud" drives.
Being that the MyBooks are old, they probably use PMR/CMR. But the current MyClouds (2020-2021 vintage) most likely use Shingled Magnetic Recording drives.
So, the drives have more SW features, and still receive security patches, but you exchange that for worse performance...
Go figure.
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
So, the drives have more SW features, and still receive security patches, but you exchange that for worse performance...
If you're buying spinning rust in the cheapest enclosure possible, it's a fair assumption that "performance" isn't one of your major concerns.
component_config.php (Score:1)
What? PHP? Seriously?!
A moment of silence please (Score:2)
For all the porn collections lost forever.
This is exactly why I didn't connect mine (Score:2)
I thought... wouldn't it be nice to have my own cloud without a subscription. I bought a mybook and started to use it, then quickly realized that I wouldn't be able to use it to store anything of value.
It's not hard... (Score:2)
just stick a raid box in a well hidden place, that has no outgoing connections beyond your lan/vpn.
Consumer-grade devices : regulation required (Score:2)
For all those saying : just put behind firewall, VPN, install HDs on a server and configure it yourself, .... just remember that this kind of hardware is made for non-IT consumers. They doesn't have our knowledge. They probably don't want to spend too many time configuring it also.
What is needed is a law/regulation (yes I know, I hate to say it) where the penalty is so high that it will cost less to put in place a bunch of quality gates and to hire really competent IT staff than paying the penalty.
IT indus
Re: (Score:2)
EDIT : too many years... ..we need to slow down a bit...
Hey Slashdot, can you add "comment editing" feature in your backlog please? :)
Another Exploit Hits WD My Book Live Owners (Score:2)
DUH - Hello class. Can we say 'DON'T SHARE'
ALWAYS keep vulnerable/critical material isolated from the 'friendly' web of (dis)trust !
ANYONE with more than 5 functional neurons would NEVER connect vital material to such an exploitable link as the FRIENDLY INTERNET ! ! !
More agreeable deal (Score:2)
CEO fired without golden parachutes and all their stock in the company sold off to pay for a data restoration fund.