WD My Book Live storage drives are being remotely wiped — disconnect yours now

(Image credit: WD)

Updated with new information about a second, previously unknown flaw that was exploited during the set on(s) on WD My Book Live drives. This story was originally published June 25, 2021.

Do y'all have a WD My Book Alive network storage bulldoze? Well, you better disconnect it from the internet immediately, or you could lose all your precious data.

WD has warned that some users have been finding their data has been wiped, despite no action on their part. Apparently this is due to some "malicious software" doing the rounds, and the company is advising users to disconnect their drives from the internet right away.

The best deject storage in 2021: The all-time premium, business, and free plans
How to choose a cloud storage and backup provider
Plus: iPhone fourteen rumor has me worried nigh the iPhone thirteen — here'due south why

A number of WD My Book Live owners have confirmed that their devices received a remote control to perform manufactory resets, starting yesterday afternoon and continuing through the dark.

Afflicted users accept since discovered that they take lost all their data, and many of them are unable to log dorsum into the drive via both the web browser and app portals. And yes, they did endeavour the usual default admin passwords, without luck.

Weirdly, some users have reported that their file construction appears to be intact, leaving the drive full of empty folders. Others accept confirmed that their drives only have the default folder that'south present when you switch information technology on for the very first fourth dimension.

Because WD My Book devices are stored behind their own firewalls, and let remote admission via the My Volume Alive cloud servers, some users have expressed concerns that WD's servers have been hacked. This is a very reasonable concern to accept.

However, WD's official argument claims that its deject services and servers do not appear to accept been compromised. Instead, the resets are being blamed on "malicious software," and WD clarified in a argument to BleepingComputer that afflicted devices take been "comprised past a threat actor."

Plainly, the wiped WD My Book Live devices are beingness affected by someone exploiting a known vulnerability in the device's software. This vulnerability allows for root remote command execution by anyone who knows the IP address of any unpatched device — which can be learned from an net browse.

WD has confirmed that this consequence is the result of the vulnerability being exploited on a big scale. To make matters worse, it seems as though the problem was never patched when it was discovered and publicized in 2018. WD states in its official statement that the afflicted drives received their last firmware update in 2015.

WD's official advice is still to disconnect your My Book Live drives from the internet, and prevent your data beingness wiped. It'southward unclear if a patch will be fabricated available to prevent this problem from escalating further.

Update: A second, zero-twenty-four hours flaw used

Ars Technica, together with the security business firm Censys, took a closer wait at the log files from wiped My Volume Alive drives and found evidence that a 2nd flaw, 1 previously unknown to Western Digital, was used in the attacks.

Furthermore, the wiping of the drives may have been the issue of an attempt past a second attacker to demolition or steal the work of the first attacker.

The second flaw is what permits a remote user to manufactory-reset the drive. This is possible considering protective code that forces a remote user to enter a password before factory-resetting a drive has been disabled. It has been simply "commented out" with special characters so that it is readable just will not execute.

It is non clear why such an important function in the WD My Book Alive'south firmware would take been deliberately disabled, either during initial release or during a firmware update, merely that is what appears to have happened. The last firmware updates for these drives was in 2015.

In fact, the Censys post argues that the WD My Volume Live drives were hit by two different attackers. The beginning used the known vulnerability mentioned to a higher place to embed botnet code on the drives, just did not wipe the drives. Factory-resetting the drives would accept wiped the botnet malware too.

The second aggressor used this new, previously unknown flaw to factory-reset the drives, possibly every bit part of a personal dispute with the first attacker or as part of an try to "steal" them into a unlike botnet. While the beginning attack may have gone undetected by the bulldoze owner/user indefinitely, the 2nd set on was very blatant.

Either way, the advice is the same: Take your WD My Book Live networked hard drive off the internet.

More: These are the best external hard drives you can buy correct now

Tom is the Tom's Guide's Automotive Editor, which means he can usually exist found knee joint deep in stats the latest and best electric cars, or checking out some sort of driving gadget. It's long way from his days as editor of Gizmodo United kingdom of great britain and northern ireland, when pretty much everything was on the table. He's usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining that Ikea won't permit him buy the stuff he actually needs online.