It looks like there may have been more than one exploit used to cause the mass deletion of data from WD My Book Live NASes last week, according to a report from Ars Technica. When news broke that people were finding that their data was missing, some (including WD itself), pointed to a known exploit from 2018, which allowed for root access of the device. However, it appears as though there’s more going on than was initially suspected.
If you have one of these devices, you should unplug it from the internet before reading any further — it’s clear at this point that your data is at risk if the device is online.
The second exploit, reported by Ars Technica, doesn’t give an attacker full control over the device like the other exploit. It just allows them to remotely wipe the device without having to know the password. Tragically for those who lost data, it seems that code that would’ve prevented this was actually present in the WD My Book Live’s software, but it appears to have been commented out (or deactivated) by WD at some point — because of this change, the software didn’t run authentication when asked to do a factory reset.
WD had stopped supporting these devices in 2015. While the exploit has been around since at least then, it’s not necessarily a scenario where an obvious security issue persisted through years and years of updates. The question still remains, though, as to why hackers decided to factory reset the devices.
Ars Technica has a wild theory, based on analysis by security firm Censys: the data deletion happened as the result of a fight between hackers, with one botnet owner potentially trying to take over or disrupt another’s. One hacker (or group of hackers) was using the known exploit to control the devices for some nefarious purposes. Then, another entity used the unknown remote wipe exploit to erase those devices. It likely would’ve removed the first entity’s access to the hardware — but users’ data was caught in the crossfire.
The theory does make sense, given the competing nature of the exploits used. (Why would a hacker burn a previously unreported exploit to factory reset the machines after already having root access?) For its part, WD told Ars that it could confirm that both exploits were used, at least in some cases. The company said it was “not clear why the attackers exploited both vulnerabilities,” but noted that it would update its security advisory about the second exploit.
The Verge didn’t immediately receive a response when it reached out to WD for comment on the findings.