Many Western Digital My Book users complain that their devices have been reset to factory defaults. Even worse, all the information on them suddenly disappeared. It is not yet clear whether the cause of the incident was a technical failure or an attack, but we recommend that all owners disconnect their My Book Live and My Book Live Duo drives from the Internet, at least until more details from the vendor will be available.
What happened to WD My Book Live
According to Bleeping Computer, log analysis shows that devices received a remote command to reset their settings to factory default. That procedure includes complete disk wiping.
Message on the Western Digital support site says that devices were compromised via remote code execution (RCE) class vulnerability. WD support suspects that CVE-2018-18472, reported in 2018 is to blame. Any malefactor, who knows exact IP address of a WD My Book Live device can exploit the vulnerability. Experts assigned to a CVE-2018-18472 a severity rating of 9.8 — that is, it is a critical vulnerability.
Why My Book Live were vulnerable
WD My Book Live are network-attached storage (NAS) devices that are popular among both home users and small businesses. They support remote access to the stored data, as well as backup creation. To work as intended, the device needs a stable Internet connection with access to My Book Live cloud service.
According to that same Western Digital message, last time My Book Live and My Book Live Duo received firmware updates was in 2015. Consequently, the developers of the update had no way of considering the CVE-2018-18472 vulnerability.
Western Digital continues to investigate the incident and promises to release new details shortly.
How to protect data on the My Book Live devices
First: disconnect the My Book Live and My Book Live Duo from the Internet as soon as possible. If it’s difficult to figure out how to do this using your router settings, disconnect the drive from the network physically, and then configure the router correctly. This way you will keep your data intact if your device was not affected by the incident yet.
After that, you should wait for news from Western Digital. Perhaps they will find a way to close the vulnerability, or even to restore the data for those users whose information was wiped.
In general, we would recommend using Internet-isolated solutions for creating and storing backups of important information. Sure, it will prevent you from accessing backups remotely. On the bright side, it will prevent anyone else from accessing them remotely, thus it will be better for the backups integrity.
You can automate backup creation with security solutions with corresponding functionality.