Western Digital Removed Code That Would Have Prevented Widespread Hard Drive Hacks

This site may earn affiliate commissions from the links on this page. Terms of use.

You may have heard several days ago that owners of certain Western Digital My Book external hard drives were hit with a remote exploit that deleted all their data. Alternatively, you may be the unlucky owner of a My Book Live and are still in mourning over the loss of your precious files. In either case, it looks like the cause of the reformat hack was not the 2018 vulnerability but was instead a zero-day exploit caused by sloppy development. However, this does not clear WD of wrongdoing. If anything, it’s even worse. 

Last week, many owners of My Book Live hard drives awoke to find their devices had been reset. Unlike most external drives, the My Book Live doesn’t have a USB port. It’s intended to connect to your local network via an Ethernet cable so it can be accessed from all your other devices. However, it defaults to being available online at all times, and WD stopped supporting the My Book Live several years ago. 

It’s true that if WD had not abandoned the My Book Live lineup, it might have spotted the problem before the hack. However, the initial supposition that the hack stemmed entirely from an unpatched 2018 flaw has been proven wrong. Ars Technica and security researcher Derek Abdine now say the mass hack comes from an unreported flaw in WD’s drive software. The software included an authentication check whenever the embedded reset command was triggered. However, for unknown reasons, it was disabled in the shipping software. All the attacker needed to know to blank the drives was how to format the XML request. The code, seen below, would have blocked the reformat, but the double slash at the beginning of each line indicates it was “commented out.”

function post($urlPath, $queryParams = null, $ouputFormat = ‘xml’) {
//  if(!authenticateAsOwner($queryParams))
//  {
//       header(“HTTP/1.0 401 Unauthorized”);
//       return;
//  }

So, that’s all pretty weird, but it gets even weirder. These drives are indeed vulnerable to CVE-2018-18472, the 2018 exploit Western Digital initially fingered as the cause. It claims that in at least some of the known hacks, the attackers used CVE-2018-18472 to gain access and then triggered the zero-day to format the drive. The 2018 flaw should have given the attacker root access, so it’s unclear why they also used the zero-day. Several hacked drives have been found to have malware designed for the drive’s PowerPC hardware. This makes the drives part of the Linux.Ngioweb botnet. 

Dan Goodin from Ars has a theory about this, and it’s one with which I agree. Goodin speculates that the botnet installation and reset were carried out by different attackers. Perhaps the data deletion attack was an attempt by a rival to blow up their enemy’s botnet. It’s just a shame that regular users lost all their data by being caught in the middle. Regardless, Western Digital really screwed up by letting a device with two serious vulnerabilities sit in people’s homes all this time.

Now read:

Comments are closed.