Western Digital Removed Code That Would Have Prevented Global My Book Wiping – Review Geek

Western Digital

A Western Digital developer removed code that would have prevented last week’s mass wiping of My Book Live storage drives, according to a report from Ars Technica. A hacker exploited this change in code, likely to disrupt another hacker who had turned some My Book Live devices into a botnet.

Victims of last week’s global wiping event complained that the factory reset tool on their My Book Live devices should be password-protected. Evidently, that was once the case. But a developer at Western Digital edited the system_factory_restore PHP script to block out all the authentication checks. To be clear, this developer did not delete the authentication checks, but simply added slash marks ahead of the code to prevent it from running.

function get($urlPath, $queryParams=null, $ouputFormat="xml"){
// if(!authenticateAsOwner($queryParams))
// {
// header("HTTP/1.0 401 Unauthorized");
// return;
// } 

In a conversation with Ars Technica, security expert and CEO of Rumble HD Moore stated that “the vendor commenting out the authentication in the system restore endpoint really doesn’t make things look good for them … It’s like they intentionally enabled the bypass.” Even more damning is the fact that this hacker triggered factory resets with an XML request, which would require prior knowledge of the My Book Live system or outstandingly good guesswork.

But that’s not all. Most of the devices hit with the factory reset exploit had already fallen victim to a hacking attempt. A recent Western Digital blog post states that hackers used CVE-2018-18472, a three-year-old exploit, to gain full administrative access over My Book Live drives. This exploit lets hackers to run high-level commands on drives and view or modify files.

Interestingly, the CVE-2018-18472 exploit was password-protected by a hacker. Western Digital says that it was used to spread .nttpd,1-ppc-be-t1-z, a PowerPC malware that turns devices into a Linux.Ngioweb botnet—basically a rotating proxy service that can hide cybercriminals’ identities or leverage DDoS attacks.

Western Digital says that it doesn’t know why hackers would exploit the CVE-2018-18472 and factory reset vulnerabilities back-to-back. It certainly seems counterintuitive; why would you quietly build a botnet just to create a massive scandal and push My Book Live users to buy a new NAS device?

The conclusion made by Censys and Ars Technica seems the most plausible—a hacker ran the factory reset exploit to sabotage the growing botnet. Maybe the hackers are rivals, although this whole thing could have been a coincidence. Who knows, maybe someone in a Discord chat or forum announced that My Book Live devices haven’t been updated since 2015, leading two hackers to run independent attacks within the same timeframe.

If you’re a My Book Live user, please disconnect your drive from the internet and never use it as a remote storage device ever again. Newer NAS devices, including those from Western Digital, have security features that are actually up to date.

Source: Ars Technica