WD MyBook Live devices are deleting data, definitely unplug yours now

There’s a problem with Western Digital (WD) My Book Live devices, with users reporting data being wiped from the devices.

Before we start, if you have a WD My Book Live or My Book Live Duo on the list below, you should definitely go and disconnect it from the internet right now.

Now. The reason you did that is that last week users reported (via Bleeping Computer) waking up to find their My Book Live completely wiped and reset. The reports prompted WD to issue the advisory for customers to immediately disconnect their devices from the internet. 

The issue is affecting users globally, including EFTM reader Mark who noticed his My Book Live acting strangely last week. Mark logged in to find his device reset, and unaware of the broader issues affecting the My Book Live devices took his to a professional to be recovered – which has been unsuccessful so far. Mark has unfortunately lost his iTunes and video libraries, but as with most data you’re never really sure until you need it.

The experience has also been mirrored on the WD support forums, with a fairly extensive thread showing a large number of users reporting similar results.

Overnight, WD has updated their advisory listing CVE-2021-35941, which says the My Book Live Firmware is vulnerable when remote access is enabled. The vulnerability ‘allows an attacker to factory reset the device without authentication’. 

A further analysis by Ars Technica and Derek Abdine, CTO of security firm Censys, found another vulnerability had also been exploited. The exploit has been tied to an unauthenticated zero-day vulnerability which meant the call to run the factoryRestore.sh script did not require authentication, with the lines which would normally request a password commented out by a Western Digital developer according to Ars.

A blog post by Censys postulated why the reset happened saying ‘it could be an attempt at a rival botnet operator to take over these devices or render them useless (it is likely that the username and password are reset to their default of admin/admin, allowing another attacker to take control), or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015.’

In terms of What Now? Western Digital advises owners to ‘Immediately disconnect your My Book Live and My Book Live Duo from the Internet to protect your data from ongoing attacks’.

Western Digital has said that any My Book Live or My Book Live Duo owners who lost data in the attacks, will be offered recovery services – so if you’ve been affected, it’s definitely worth lodging a support ticket. Additionally Western Digital will offer a trade-in program to upgrade them to a supported My Cloud device – with details on how customers can take advantage of both offerings to be advised. 

The issue is fairly serious, data can be highly personal and volatile, so losing it can be a big deal and this has surely shaken the faith some users had in Western Digital. At this stage, you should definitely unplug your My Book or My Book Duo from the internet, and as soon as Western Digital announce details of their trade-in and data recovery programs we’ll let you know