WD Drives Were Wiped by Hackers Using a Zero-Day Exploit

According to a new report, hackers have exploited a 0-day bug, not the one discovered in 2018, to mass-wipe WD My Book Live Devices. It appears as though Western Digital intentionally removed lines of code that would have prevented it.

Just last week, PetaPixel reported that an exploit was discovered through the WD community pages that caused some WD My Book Live users to have all of their data deleted. A further investigation alleges that the data wipes were not caused by just a single vulnerability, but a second critical security bug that let hackers remotely perform factory resets without the use of a password.

According to the investigation, a developer from the Western Digital team actually coded a requirement for a password before a factory reset was performed, but that requirement was later removed.

“The undocumented vulnerability resided in a file aptly named system_factory_restore. It contains a PHP script that performs resets, allowing users to restore all default configurations and wipe all data stored on the devices,” arsTechnica reports.

As a point of security in modern tech devices, if a factory reset is desired, the user would need to use a password to properly authenticate the command to delete all stored data. Adding this critical step is supposed to protect users and prevent any malicious entities from accessing or destroying data, and ensures that only the owner could take those actions. It is generally successful in doing so as long as the user’s password remains protected.

According to this new report, the WD Developer in question wrote five lines of code to password-protect the reset command and then at some point before the commercial launch of the products, canceled it (or in coding terms, commented it out).

This discovery comes just days after users from all over the world first reported their devices had been affected to which WD posted an advisory on its website and stated the attack used a vulnerability found in late 2018. Since the exploit was discovered years after the company officially stopped supporting the devices, a fix was never issued. It turns out that even if WD had patched that exploit, this other bug would have still allowed hackers to remote delete users’ data.

In a statement to arsTechnica, Derek Abdine, CTO of security firm Censys, believes the second exploit which caused the mass deletion was used by a different hacker to “wrest control of the already compromised devices” and prevent Western Digital from being able to release an update to fix the corrupted configuration files. Abdine also states that users who were affected by the initial hack seem to also have been infected with malware that makes the devices a part of a botnet called Linux.Ngioweb.

Western Digital did not immediately respond to the request for comment.

Due to the discovery of the second vulnerability, My Book Live devices are even more insecure and unsafe to use than initially believed. As PetaPixel urged in its original coverage, it is prudent for all who currently own a WD My Book Live to disconnect them immediately from the internet.

Image credits: Header photo licensed via Depositphotos.