Western Digital drives remotely wiped: What experts say to do now

Chris Davies - Jun 26, 2021, 9:09am CDT
Western Digital drives remotely wiped: What experts say to do now

Owners of some Western Digital external hard drives should disconnect them from the internet and probably turn them off completely, as reports of remotely wiped data continue. The drive-maker confirmed last week that some owners had seen their network-connected storage accessed unofficially and a complete reset triggered, though details on just how much people should be concerned continue to emerge.

The affected drives, Western Digital says, are the WD My Book Live and WD My Book Live Duo. They were first released in 2010, and received their last firmware update in 2015. The company has not said how many are in circulation, nor given an estimate on how many people are still using their drives.

“Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability,” the company said in a security bulletin. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.”

Western Digital insists that there’s no current evidence that its own cloud services, firmware update servers, or customer credentials were compromised. Instead, it suggests, the My Book Live drives were left directly accessible via the internet, “either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.” Hackers then used port scanning to spot potential victims, the company theorizes.

“We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further,” Western Digital added. “Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.”

While Western Digital recommends owners disconnect their drives from the internet for safety, the suggestions over among users at Reddit is more cautious still. There, the advice is to turn the drives off altogether, on the assumption that hackers could have already loaded a trojan or some other exploit on there. That might then be scheduled to activate, wiping the drive even if it’s not online at the time.

Although doing that would mean no access to files – and would run counter to inclinations among owners to make a second backup of what’s on the My Book Live drive as soon as possible – it’s likely to be the safest route as further investigation continues.

For those who do want to try to extract what data might remain after a full reset wipe was initiated, the Reddit thread also includes plenty of discussion about which are the best tools for that. It’s unclear just how effective – or consistently effective – they are at this stage. Unless you’re familiar with data recovery software, it might be best to sit it out until Western Digital comes up with an official route to follow.

More broadly, anybody relying on networked drives should probably take a moment to consider their security settings. Open ports, set up through a router or cable modem, are an obvious point of entry for hackers, though many connected hard drives also have some sort of remote access software that relies on a username and password to make logging in while away from home more straightforward. If that’s the case, now would be a good time to check the strength of that password, in addition to enabling two-factor authentication if offered. Or, indeed, to consider whether or not you actually need the drive to be online in the first place.


Must Read Bits & Bytes