Do NOT trust Western Digital !!!

Post any general comments regarding Bulk Rename Utility here. Open to all registered users.

Do NOT trust Western Digital !!!

Postby Luuk » Sun Jun 27, 2021 1:14 am

If anybody does have their data on a Western Digital My Book Live, please to disconnect it from the internet now!
There is hackers without nothing better to do, than to wipe all of your data, and not even asking for a ransome.
At the very least, to make sure your router does not have "UPnP" enabled or any port-forwarding for your MyBook.

All they need is your IP-address, and an open-port to your MyBook, and they can type commands like...
curl –kX PUT -d ‘language=en_US`AnyLinuxCommand`’https://YourIPAddress:port/api/1.0/rest/language_configuration
And the stupid language-part of the REST api on your MyBook Live will actually execute AnyLinuxCommand with root privileges!

So of course, they now use it to somehow trigger "factory resets" that wipe your MFT, and then recreate the factory settings/folders.
I dont think anyone is actually wiping the file-bytes first, but certainly the factory settings/folders would overwrite much anyways.
So now I do really hate Western Digital for making such a stupid api, and I will never trust them again.

Im just fortunate because never really trusting HDDs to be forever anyways, especially when connecting them to the internet.
But many people are not so lucky... https://community.wd.com/t/help-all-data-in-mybook-live-gone-and-owner-password-unknown/268111
So if anybody has MyBook Live, make sure its not open to the internet, and never trust anything written by Western Digital.
Luuk
 
Posts: 691
Joined: Fri Feb 21, 2020 10:58 pm

Re: Do NOT trust Western Digital !!!

Postby Admin » Tue Jun 29, 2021 1:46 am

Wow, that is a huge security gap!! :(
Admin
Site Admin
 
Posts: 2343
Joined: Tue Mar 08, 2005 8:39 pm

Do not trust WD My Book Live external hard-drives !!!

Postby Luuk » Wed Jun 30, 2021 7:48 am

I do hope that anyone else here, who does settle their files on a MyBook Live, will notice this very soon.
Now we discover that all MyBooks come with a 'factoryRestore.sh' shell-script, that is used to wipe the drives.
So this another problem, because what else might could trigger this script (power loss, firmware glitch, etc)??

Its unfortunate, but many users think that editing factoryRestore.sh so that Line1==exit, will make them safe again.
But this only helps if the attacker sends something like..
curl -kX GET -d ‘bim=param`Path/To/factoryRestore.sh`’https://IPAddress:port/api/1.0/rest/configuration

They can just change Path/To/factoryRestore.sh into something much worse like dd if=/dev/zero of=/dev/sda bs=1M.
They dont even need to put 'sudo' in front of the command, because the stupid REST-api already does this for them!
So instead of just wiping your MFT for factory resets, they can overwrite your file-bytes, or conduct many other things.

But I still cannot understand the goal for this, usually the attackers will try to earn some ransome money, by encrypting your files.
But this attacker(s) will always just conduct the factory reset to delete all of your files instead, so it does seem very strange.
Some people think its a corporation, trying to convince users that your files are safer, being settled on their cloud drives instead.

So if anybody does have your files settled on a MyBook Live, the only safe thing for now, is first to disable ALL port-forwarding.
This does mean for both your router, and inside of your MyBook-settings (Change "connection options" from automatic ==> manual).
Then to disable "remote access" in the MyBook, but now you cant access your files away from home (the reason users buy it!).
Luuk
 
Posts: 691
Joined: Fri Feb 21, 2020 10:58 pm

Re: Do NOT trust Western Digital !!!

Postby Luuk » Wed Jun 30, 2021 2:24 pm

Its unfortunate, but this story does seem to keep getting worse every time I read about it.
Even though the REST-api already helps attackers by prefixing sudo to their commands, factory-resets should still prompt for a password.
But the reason they dont, is because somebody at Western Digital decides to comment-out ALL of the code to prompt for one!!!...

function post($urlPath, $queryParams = null, $ouputFormat = 'xml') {
// if(!authenticateAsOwner($queryParams))
// {
// header("HTTP/1.0 401 Unauthorized");
// return;
// }
}

Except its like this in other places too!! So all of the lines starting with // to ask for authentication will never conduct, so never denied.
You can read about it here... https://arstechnica.com/gadgets/2021/06/hackers-exploited-0-day-not-2018-bug-to-mass-wipe-my-book-live-devices/
Or if you have a MyBook, just look inside /var/www/Admin/webapp/classes/api/1.0/rest/system_configuration/system_factory_restore.php

This so ridiculous I dont even know what to say about it, except do not ever trust Western Digital for security!
Its just unfortunate that so many people like me, did have to learn this lesson the hard way.
Luuk
 
Posts: 691
Joined: Fri Feb 21, 2020 10:58 pm


Return to General Comments