Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

This is probably also reflected by the fact that they stopped patching it relatively early in its life. Three years of patches for what is effectively an internet-connected hard drive, presumably one that its target audience is going to be using for many years as something that “just works,” reflects a disinterest by Western Digital in living up to its own sales pitch.

Several years back, I did an internship at Western Digital. I was a software intern on a hardware team in testing working on a project that no one on the team was capable of doing. It quickly became obvious it was more appropriate for a contractor to build than an intern, and was even told as much, but they went with the intern route because it "required fewer signatures".

It was glaringly obvious that software was not part of the company's core competency. Worse, was that software was treated as a nuisance and afterthought to the hardware. No idea how today's Western Digital compares, but I generally steer clear of the company's products that rely on any non-trivial software.

I think part of the problem is that the industry doesn't seem to value embedded software engineers. The work embedded software folks do is just as complicated as that of a full-stack developer working for a SaaS company, but the salaries aren't comparable.

It doesn't help things that the skill sets are very transferrable. It's tough to find somebody willing to forego 20-30% of salary just because they enjoy embedded - after a while, people get fed up and move into better paid SE roles. So, embedded software departments are often short-handed. A former employer of mine lost a senior firmware engineer almost three years ago. As far as I know, they still haven't filled the position.

You'd likely be shocked/scared at the amount of terrible code which is out there in the wild running at any time in large companies. Mostly it is outsourced to the cheapest possible vendor, many times who have barely a grasp of what they're doing, and for sure don't understand or think about best security practices.

Usually a OEM does a proof of concept cobbled together linux based firmware to demo the capability of it's new SOC to prospective buyers.

WD then takes the OEM POC firmware - slaps on their logos and ships it.

That is why I would trust NAS manufacturers like Synology or Thecus or QNAP more -personally I use Unraid.

Watching the world burn. There are plenty of examples of worms/viruses that bring no benefit to the creator. I know you said "excluding", but it's popular.

Alternatively, some misguided "white knight" idea. Maybe the factory reset turns off the "open to the internet" setting.

A put option on WD stock?

Realistically speaking, you are probably going to be able to hide ~$100-$250k of put earnings, especially if you have a trading history and it's not the only thing you trade.

That can be a considerable payout.

What I don't get is why are people directly connecting these devices to the internet?

The logs in the article show these devices being accessed from the internet.

There have been many people in this forum mentioning how their data is gone, and I'm doubting most of the people here are directly connecting their devices to the internet .. which makes me feel like there is something more going on.

Or the botnet was DDoSing, and someone decided they had enough. (it would not be the first time)

Incompetence probably, there's really no downside when experimenting with others' devices (aside from legal).

first HN article had a bunch of people saying there were devices behind a NAT with no port forwarding that had the issue, this doesn't describe what happened there (if that actually happened)

> If a user forgets their password or

Isn't this the reason for a hardware reset button?

Having this available over the internet is probably negligent.

Or he just was working on a feature, and got annoyed with password prompts. Commented out authorization code, then forgot to comment it back in

The most infuriating answer would be maybe they were testing the restore function, and was tired of entering the test username and password over and over again. And then the "I'll just comment it out for my tests" got commited, and built, and deployed.

If a user forgets their password, they still need a way to factory reset so as not to brick the device. Of course, this should involve, say pressing and holding physical button on the device. Just commenting out the password check was probably a lot easier.

If one of these devices is sold, the new owner may want or need to do a reset but doesn't know the password.

Was likely done in development by a developer that was sick of seeing the same password prompt 50 times a day, and who later forgot to un-comment it. There's absolutely no way this should have made it past code review.

Just curious, did you have remote (WAN) access set up?

I have one of these at my parents house, I had them unplug it, once I read this, but I was always wary of turning on remote access, as in it would only be accessible from the LAN, I haven't had a chance to go back in and check if it was hit, but I'd like to think that without remote access turned on it wasn't vulnerable.

I have 2 backups of most data but these stories make me worry. It is so time consuming. Easy to forget to maintain, & test.

How would they contact the owner of the device? All they know is the IP address of the device.

It applies to the "My Book Live" version.

Never thought I’d see Ars explain what “commenting out” means.

> ouputFormat

As far as I can tell, WD's response is "too bad so sad you should have bought a newer product", so I don't think they offer affected people any sort of recovery gratis.

(I suspect this will bite them in the ass in the court of public opinion, but we'll see.)

Not sure what "factory reset" means, likely just deleting the MBR or something like that, the data is likely recoverable using consumer data recovery tools.

It's not that it's secured with PHP, it's that it's not secured properly. Given the scale of this screw-up, there's nothing tying it to PHP, and it could've been done in the HN language/platform du jour.

Yep. We are talking about cloud services revolution but the sad fact is that I can't trust these incompetents with my shopping list and need to maintain all my data and backups myself.

Snippet supplied in the article:

  function get($urlPath, $queryParams=null,   $ouputFormat='xml'){
  // if(!authenticateAsOwner($queryParams))
  // {
  // header("HTTP/1.0 401 Unauthorized");
  // return;
  // }

That if statement is checking for authentication before running the rest of the function. Just the if check is commented out.

Assuming here the rest of that function would come below it, with a closing brace.

ie:

  function get($urlPath, $queryParams=null, $ouputFormat='xml'){
  // if(!authenticateAsOwner($queryParams))
  // {
  // header("HTTP/1.0 401 Unauthorized");
  // return;
  // }
  
  do;
  something;
  here;
  then;  
  }

Here's the snippet from the article:

  function get($urlPath, $queryParams=null, $ouputFormat='xml'){
  // if(!authenticateAsOwner($queryParams))
  // {
  // header("HTTP/1.0 401 Unauthorized");
  // return;
  // }

The closing brace there corresponds to the if. The rest of the body of the function, and its closing brace, are outside the snippet included in the article.

The commented-out closing brace is for the if statement, not the whole function. The rest of the function was snipped, you can see the whole thing here: https://paste.debian.net/plainh/7630c424

It comments out the `if` block, but not the rest of the function.