Skip to main content

5 lines of code allowed attackers to wipe tons of data from popular hard drive

Western Digital My Book Live was hit with an attack last week that led to countless drives being factory reset, resulting in petabytes of lost data. Originally, reports showed that the main attack exploited a security vulnerability from 2018, and although that is still one of the attack vectors, there was another one at play. And it came down to only five lines of code.

An investigation by Ars Technica revealed that a second exploit was at work in at least some of the affected drives. This second exploit allowed attackers to factory reset the drives remotely without a password. Curiously, the investigation revealed that five lines of code would have protected the reset command with a password, but they were removed from the running code.

Even stranger, this vulnerability wasn’t critical to the data loss. The original exploit (CVE-2018-18472) allowed attackers to gain root access to drives, stealing the data off of them before wiping the drive. This vulnerability was discovered in 2018, but Western Digital ended support for My Book Live in 2015. The security flaw was never fixed.

“We have reviewed log files which we have received from affected customers to understand and characterize the attack,” Western Digital wrote in a statement. “Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device.”

These two exploits achieved the same goal but with different means, leading an investigation from security firm Censys to speculate that they were the work of two different groups of hackers. The investigation says it’s possible that an original group of attackers exploited the root access vulnerabilities to loop the drives into a botnet (a network of computers that hackers can draw resources from). However, a possible second group of attackers came in and exploited the password reset vulnerability to lock out the original attackers.

The two exploits apply to My Book Live and My Book Live Duo storage devices. These drives give users a few terabytes of network-attached storage, which is why these attacks were able to happen in the first place. Western Digital says anyone with a My Book Live or My Book Live Duo should immediately disconnect the drive from the internet, even if it hasn’t come under attack.

Western Digital, a computer hard disk drive manufacturer and data storage company, is offering affected customers data recovery services, which will begin in July. A Western Digital spokesperson told Ars Technica that the services will be free. It is also offering customers a trade-in program to upgrade to a newer My Cloud device, though Western Digital hasn’t said when the program is launching.

Editors' Recommendations

Jacob Roach
Senior Staff Writer, Computing
Jacob Roach is a writer covering computing and gaming at Digital Trends. After realizing Crysis wouldn't run on a laptop, he…
Will the Surface Laptop Studio 2 dethrone the MacBook Pro M2?
The Microsoft Surface Laptop Studio 2.

The Surface Laptop Studio 2 was announced on Thursday at Microsoft's September 2023 event. The device comes in as a tame upgrade of its predecessor, keeping the overall look of the original while having interesting hardware tweaks. These include the introduction of a neural processing unit (NPU) to assist with AI features on the system.

However, there are other competing products on the market, including the MacBook Pro M2, which has been available since spring and is a solid contender in terms of power and price. Apple's Pro option also comes in 14-inch and 16-inch configurations, and offers several more RAM and storage choices that could tantalize consumers.

Read more
There’s a big sale happening on Lenovo Tower and Edge servers today
Lenovo ThinkSystem ST50 Tower Server product image

People often think of servers, the systems that empower online and cloud-based platforms, as more of a business solution. While that's true, and they do have widespread implications for the world of modern business (hello DNS servers), there are many uses for a server at home too. For example, you can set one up to run a media server, allowing you to access all of your media -- like movies, shows, and music -- both at home and on the go. You can also use a server to host and run your own website or even a full-fledged hosting solution, where you can sell hosting to other like-minded folks. Really, there are a ton of possibilities. Of course, servers tend to be expensive, but thanks to a huge sale on Lenovo Tower and Edge Servers, you can save big right now. In fact, some of the best desktop computer deals include an option worthy of moonlighting as a server from time to time. Regardless, if you're in the market for a server, now's the perfect opportunity to grab one for an excellent price. Why not take a look for yourself?

 
Why you should shop the Lenovo Tower and Edge Servers sale
Like any desktop or laptop computer, whether for gaming, work, or something else entirely, servers and their performance depend largely on the internal hardware. So, there are many servers included in this Lenovo Tower and Edge Servers sale, and your best bet to find what you're looking for is to head over and browse for yourself. That said, it makes sense to call out a few of our favorites and some of the best deals we've found.

Read more
Update your Apple devices now to fix these dangerous exploits
A person using a laptop with a set of code seen on the display.

If you’re an Apple user -- whether you have a Mac, an iPhone, an iPad, or an Apple Watch -- you need to update your devices as soon as possible. That’s because Apple has discovered three actively exploited vulnerabilities that could cause your devices serious harm, and the patches are already out to fix them.

One of the bugs was found in Apple’s Security framework and would allow a malicious app to completely bypass a device’s signature validation. Another bug concerns the WebKit browser engine and could grant a threat actor the ability to run arbitrary code when a victim views a certain web page.

Read more