Very few things in modern computing probably scare people more than the thought of losing years of data in a blink of an eye. That nightmare, unfortunately, became a reality for thousands of owners of Western Digital’s discontinued My Book Live storage last week. Years’ worth of files, photos, videos, and everything in between were remotely erased because of some malicious actors that may have been competing with each other. What makes matters worse is that Western Digital itself may have had a hand in actually enabling one of two vulnerabilities that made this remote mass-wipe possible.
Western Digital immediately dismissed the speculation that its servers were compromised, leading to the remote reformatting of many My Book Live NAS devices across the world last week. Instead, the company pointed to malicious actors exploiting vulnerabilities in the operating system as the cause. After some investigation, it pointed to a 2018 security flaw that gave attackers the ability to run commands remotely with elevated privileges on specific devices.
Since CVE-2018-18472 was reported back in 2018, Western Digital wasn’t exactly required to patch it up for products that were no longer supported since 2015. It turns out, however, that another vulnerability may have also been used to remotely reset devices to their factory state. Unlike the first exploit, this vulnerability is believed to have been there from the very day the My Book Live launched in 2011 and may have even been Western Digital’s fault.
According to Ars Technica’s report, My Book Live was supposed to require a user password when trying to perform a remote factory restore. For some unknown reason, however, the code that shipped with the NAS devices had this check disabled. In other words, it would have been relatively trivial for a knowledgeable hacker to perform that wipe, thanks to some mysterious code change on WD’s part.
The mysterious part about these two vulnerabilities is that the latter zero-day exploit was unnecessary since the 2018 vulnerability already gave an attacker root access to perform wipes. The running theory at the moment is that the CVE-2018-18472 exploit was used by one hacker to turn compromised devices into a botnet while the second, older vulnerability was used by a rival hacker to either take over the network or simply sabotage it. Either way, the end result is the same, leaving hundreds if not thousands of users crestfallen over their lost data.