Manufacturer Stopped Supporting Targeted Network-Attached Storage Devices in 2015
Internet of things security reminder: When a manufacturer stops issuing updates for any device that connects to the internet, in many cases the only way to secure the device is to disconnect it from the internet. If that cannot be done in a guaranteed manner, then the only way to secure such devices is to dispose of them.
Case in point: Storage device manufacturer Western Digital warns that two of its network-attached storage devices – the WD My Book Live and WD My Book Live Duo – are vulnerable to being remotely wiped by attackers and now urges users to immediately disconnect them from the internet.
“We do not yet understand why the attacker triggered the factory reset.”
“I have a WD My Book Live connected to my home LAN and it worked fine for years. I have just found that somehow all the data on it is gone today,” one user posted Thursday, noting that the device’s password was also changed, making it impossible to access the device’s configuration options.
“All my data is gone too,” another user posted. “Message in GUI says it was ‘factory reset’ today! 06/23. I am totally screwed without that data … years of it.”
Later that day, the manufacturer issued this alert in a product security warning: “Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.”
Attackers are also sometimes installing a Linux Trojan that runs on the PowerPC architecture both types of devices use, although it isn’t yet clear what the malware does.
Repeat Target: Exploitable IoT Devices
In the past, however, attackers have frequently attempted to co-opt internet-connected devices – especially if they have copious amounts of storage – and use them as repositories for stolen data, or for launching attacks. The Mirai botnet, for example, sought to exploit dozens of IoT devices via default or weak credentials, to enable attackers to use the devices as launch pads. The Mirai source code continues to circulate in updated forms via cybercrime forums and can be used for everything from distributed denial-of-service attacks to infecting devices with further types of malware or helping criminals defeat e-commerce anti-fraud measures.
The underlying flaw in the newly targeted WD devices is designated CVE-2018-18472 and was first publicly disclosed in June 2019. “Western Digital WD My Book Live (all versions) has a root remote command execution bug via shell metacharacters in the /api/1.0/rest/language_configuration language parameter. It can be triggered by anyone who knows the IP address of the affected device,” the U.S. National Vulnerability Database noted at the time. Now, it says, the vulnerability is being reviewed in light of the new attacks.
“We are reviewing log files which we have received from affected customers to further characterize the attack and the mechanism of access,” Western Digital says. “The log files we have reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. This indicates that the affected devices were directly accessible from the internet, either through direct connection or through port forwarding that was enabled either manually or automatically via UPnP.” Universal Plug and Play – aka UPnP – is a set of networking protocols to make it easier for networked devices to find and connect to each.
“We understand that our customers’ data is very important. We do not yet understand why the attacker triggered the factory reset; however, we have obtained a sample of an affected device and are investigating further,” Western Digital says. “Additionally, some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.”
Internet Connectivity Carries Risks
Western Digital’s warning suggests that the vulnerable devices may have connected to the internet without users being aware, for example, if UPnP was enabled. Or they may have enabled internet connectivity to make the devices easier to access. Regardless, the safest course of action appears to be disconnecting the vulnerable devices from any local area network, pending a full review of how the devices are being exploited.
Buyers of My Book Live and My Book Live Duo devices were likely overwhelmingly consumers, who may not have understood the security trade-offs incumbent in activating UPnP or internet access to their devices. Now, of course, they may remain loathe to discard their network-attached storage if it still stores data.
The data-wiping attacks, meanwhile, could simply be a side effect of criminal hackers wanting to give themselves more storage space on these network-attached storage appliances.
But they are a reminder to everyone – businesses and consumers – to never store important or sensitive data on untrusted or outdated devices that have the capability to connect to the internet, unless additional security measures have been put in place to ensure they stay locked down.