You may recall that a couple of weeks ago, we wrote about a security risk associated with Western Digital My Book Live NAS hard drive units. Users reported their web-connected hard drives were completely wiped with no means of recovering their data. This issue is ongoing and due to a security vulnerability. However, as PetaPixel reports, the vulnerability goes beyond the My Book Live product and affects other WD NAS drives running the company’s OS 3 software.
Security journalist Brian Krebs has published a report outlining the My Book Live issue, plus another security flaw present in a wider range of Western Digital MyCloud network storage devices.
Krebs writes, ‘At issue is a remote code execution flaw residing in all Western Digital network-attached storage (NAS) devices running MyCloud OS 3, an operating system the company only recently stopped supporting.’ Researchers Radek Domanski and Pedro Ribeiro were going to outline the flaws in MyCloud OS 3 at last year’s Pwn2Own hacking competition in Tokyo. WD then released MyCloud OS 5 – skipping OS 4 entirely – before the duo could expose the vulnerability. The pair could not compete since the competition required participants to show flaws in the latest firmware or software. However, they have shared a detailed video, seen below, showing the chain of weaknesses they discovered.
As of March 12, 2021, Western Digital will no longer provide further security updates to MyCloud OS 3 firmware. An issue at hand is that it appears multiple security flaws still exist in OS 3, and not everyone can update their device to OS 5. Some devices are incompatible with the latest firmware, and WD’s solution is for people to buy new products. Beyond some constraints, Domanski states that OS 5 doesn’t include all the core functionality of OS 3, so some users may not want to upgrade even if they’re able to.
PetaPixel notes a variety of issues and complaints with OS 5. The newest firmware eliminates integration with Google, Dropbox, One Drive and Adobe. Further, thumbnail generation, which some users don’t need or want, can cause ‘unending indexing’ or even freeze the device.
Western Digital is aware of complaints against OS 5, and in a statement to PetaPixel states that the company is regularly releasing updates and responding to customer feedback. WD also promises to restore top-used functionality that was omitted from OS 5’s initial release.
Krebs reports that Western Digital never responded to Domanski and Ribeiro about the flaw the pair discovered. WD has since updated its process and will respond to every future report.
Domanski and Ribeiro have developed and released a patch, which fixes the vulnerabilities they discovered in OS 3. WD, of course, cannot guarantee the efficacy or stability of any third-party patches. Domanski says that MyCloud users on OS 3 can eliminate the threat from attacks by ensuring that their devices aren’t reachable remotely over the internet. MyCloud devices allow customers to access data remotely, but you also open yourself up to bad actors accessing your data, too. ‘Luckily for many users they don’t expose the interface to the internet,’ Domanski said. ‘But looking at the number of posts on Western Digital’s support page related to OS3, I can assume the userbase is still considerable. It almost feels like Western Digital without any notice jumped to OS5, leaving all the users without support.’
MyCloud OS 5 has some of the features of OS 3, however, it’s missing key functionality.
For users who have been impacted, many of whom are understandably very angry and frustrated, Western Digital has promised to provide data recovery and product trade-in programs. Data recovery service will be offered free of charge.
If you’d like to learn more about the exploit used to wipe data from Western Digital My Book Live storage devices, Dan Goodin, Security Editor at Ars Technica, has written an excellent breakdown of the ins-and-outs of the exploit and how it operates.
To sum up the ongoing issue, there’s a security flaw with Western Digital OS 3. If you have a device running OS 3 and leave it connected to the internet, you may be subject to remote access by malicious actors, resulting in your data being deleted. Domanski and Ribeiro have released a patch for OS 3, but Western Digital cannot guarantee that it works since it’s a third-party patch.
WD itself has no intention of fixing OS 3, as its solution is simply to upgrade to OS 5. However, not all devices cannot upgrade to OS 5 and not all users want to lose OS 3’s features, some of which aren’t available in OS 5. If your device cannot run OS 5, WD suggests buying a newer Western Digital product that supports the latest firmware. If you already lost data due to the exploit, Western Digital is offering free data recovery services. You can contact Western Digital customer support via the WD website.