My Book Live Fiasco Shows Dangers of Unsupported Devices

If you at all follow security or tech news, you’ve likely heard about the Western Digital My Book Live hack and loss of user data.

If you haven’t, this is a good example of why it’s so important for users of technology to make sure they are using devices with active (and competent) hardware and software support.

My Book Live Exploit History

The most recent My Book Live issues came to light toward the end of last week (I’m writing this on July 1st, 2021).

Essentially, users were logging in to their devices to find that they were totally empty. Terabytes of data were simply gone.

The cause of this massive data loss appeared to be the affected devices receiving a remote command to factory reset themselves. Of course, a factory reset restores the device to “like-new” condition, erasing all the data stored on the device.

At the time, Western Digital said that the cause was not a takeover of Western Digital infrastructure (whew!), but the result of a known and unpatched exploit that has publicly existed since 2018 (what?!?).

My Book Live Exploits – A Brief History

It appears that the My Book Live devices (released in 2011) receieved their final software update in 2015.

Three years later (in 2018) a remote-code vulnerability was discovered by security researchers Paulos Yibelo and Daniel Eshetu which would let an attacker, who knew the IP address of the My Book device, run commands with the all-powerful “root” account. While not all My Book Live devices were vulnerable, the ones that were publically accessible on the internet were wide-open targets for this vulnerability.

Despite the 9.8 (out of 10) severity score that this vulnerability received, Western Digital did not patch this vulnerability. I’m not even sure if Western Digital ever disclosed this unpatched vulnerability to My Book Live owners – some of which were likely storing important data in their devices.

Certainly telling customers “there’s a problem in your 5-year old device that would let bad guys into your data and network, but we’re not going to fix it” is not a great PR move, but keeping this information from your customers is even worse.

The Great My Book Live Wiping of 2021

Apparently, though, the existing severe vulnerability wasn’t the only issue with these devices.

According to an Ars Technica article, it looks like the factory reset command should have been password-protected. So that any user trying to reset the device would need to enter a password to complete the reset. However, it looks like the password-protection part of the code was actually written but commented out. Meaning that this protection was considered and then rejected for some reason.

This vulnerability is a real zero-day vulnerability. Until now, no one knew that My Book Live devices were susceptible to this second attack.

So, it looks like there were 2 major vulnerabilities in these devices. The Ars article theorizes that most of the internet-connected My Book Live devices had been previously compromised by a hacker using them as a botnet. When this second vulnerability was discovered (likely by a rival hacker or someone who wanted to disrupt the original botnet), they took the opportunity to try and disrupt the first hacker’s botnet.

It just happened that lots of user’s data was lost along the way.

Some Final Thoughts

There are a few things to be learned from this.

The first, and most important, is that using unsupported hardware/software is a Big Risk™. I know lots of people who don’t apply updates to their phones, tablets, computers, web browser, etc. But

And while not every update fixes dangerous vulnerabilities (there was a reason the first Western Digital vulnerabity got a 9.8 out of 10!), a non-trivial percentage of them do. Just take a look at the number of zero-days fixed so far this year in last month’s tech round-up post. (TL;DR: 7 in Google Chrome, 9 in iOS, 18(!) in Windows 10)

More and more becomes obvious that ignoring or delaying updates is the tech equivalent of driving without a seatbelt on. You’ll be fine – most of the time – but when something goes wrong, it’s not going to be pretty.

The second important lesson is that a user has to take some responsibility for keeping their network (and network devices) secure. This is becoming more and more difficult, as consumer equipment gets more powerful, more capable, but not always more secure. If you’re not sure how best to configure devices that are accessible on the open internet, don’t expose them to the internet.

This isn’t a perfect solution. The only real option that My Book Live owners had, if they had known about the two vulnerabilities, was to either disconnect their devices from the internet (and lose functionality) or buy a new, supported device (and likely spend hundreds of dollars). But that’s the technology world we live in today.