Western Digital recommends that users of the WD My Book Live and WD My Book Live Duo disconnect them from the Internet to prevent data loss. Several users of those devices have lost all their data. WD says it is investigating the problem.
In a forum post, Western Digital writes that the company has determined that some My Book Live devices have been compromised by malicious software. As a result, the hard drives with an internet connection would have been reset to the factory settings and all data has been deleted. The My Book Live and My Book Live Duo received their last firmware update in 2015, WD reports.
The manufacturer comes with the warning after users on the forum announced that all data from their My Book Live device has disappeared. For example, a user writes that his HDD was suddenly empty and that he can no longer log in to reach the interface, because the password is unknown. Several other users report similar issues; they also lost all their data.
Several users say that the data loss was related to an unwanted factory reset of their device. A user shows a log showing that the factory reset has been performed. However, according to the user, there was no one in the house at the time.
In a statement to Ars Technica, WD said there is no indication that the company itself has been the victim of an attack or data breach. The external hard drive manufacturer believes users of the My Book Live devices are under attack, but it’s unclear what exactly is going on. WD emphasizes in the statement that the last firmware update dates from 2015. The company says it is investigating the issues and updating its site if there is new information.
The WD My Book Live devices are external hard drives with a network connection. The external HDDs have been sold since 2010. The Duo version is a variant with two HDDs. Other My Book devices that do not have an Internet connection are not affected.
Update: The issues, as FeronIT points out, are related to a vulnerability that has been known since 2018 and which has not been fixed by WD, because according to the manufacturer the support period for the hardware is over. On its website, WD confirms that the rce vulnerability is CVE-2018-18472. That vulnerability can be exploited by anyone who can find out the IP address of the device in question.
Jun 23 15:14:05 MyBookLive factoryRestore.sh: start script:
Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: start script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
Log of user who has lost his data