While I love the cloud and the power that comes with it, I still see no reason to expose every device at home for some kind of remote access if I don’t need to.
Although many vendor-tools are quite fancy and comfortable, there is a reason why hardware at home shouldn’t be available all the time without the use of a VPN or similar ways of secured remote access. Exposing my NAS to the Internet just to gain access to the files residing there is comfortable but always a risk — lately QNAP suffered some security flaws, today users of WD My Book Live-devices might find the data on their systems erased.
It’s probably the worst thing that can happen and that can be configured: The classic „Fire-and-forget“-rollout, supported by a „ready, ready, finish“-installation lead by an installation wizard — and your personal data storage at home (or the web interface, respectively!) is exposed to all the threats in the World Wide Web. Okay, with great power comes great responsibility, but do I really need to open a gate to the device I save personal photos, backups etc. on to the public?
Waking up with a wipe
This day, users of the WD-devices named woke up just to find their data deleted, forcing the storage-device maker advising to unplug the specific devices from the Internet ASAP. Engineers are currently investigating some kind of unexplained compromised that lead to a complete data loss on all affected devices all around the world. The ball got running by a post in WD’s forum and, so far, there are no reports that the data deleted could be restored in the meantime. Apparently, the directory structure on the devices is still intact but every piece of file got wiped off the systems.
“I have a WD My Book Live connected to my home LAN and worked fine for years,” the user starting the thread wrote. “I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2BT volume was almost full but now it shows full capacity.“
Other My Book Live-users quickly joined the conversation to report they had experienced precisely the same thing as well. “All my data is gone too,” one user soon responded. “I am totally screwed without that data… years of it.” Multiple users reported that the data loss coincided with some kind of factory reset that seem to was performed on their devices. One person posted a log that showed unexplained behavior occurring on Wednesday:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
Pull the Plug!
WD advised customers to disconnect their My Book Live-devices from the Internet instantly to prevent further wiping while the vendor is still investigating this mass effect.
Looking for a reason why this has happened, we see the lights and shadows of the modern „always-on“-world. Citing the good, old Spiderman-phrase I already mentioned above and thinking from a security perspective, it is grossly negligent from WD and the users affected to expose a device to the Internet whichs latest firmware update has been released in 2015. While end users are — well — end users, there should have been some kind of warning from WD’s side that the device isn’t supported anymore or — logically — equipped with a six-years-old firmware version that doesn’t meet the security stands of nowadays. There were latter flaws being exploited in the past but targeting a firmware from 2015, many users are now facing a complete data loss with — so far — no option to get their data back although WD is still investigating this issue.
Once this thunderstorm has hit your device, you’ll — unfortunately — have to wait for the result of WD’s research, but you — hopefully — have disconnected your device from the Internet in the meantime. There is no sign from ransomware so far as the attack seems to had just one thing in mind: Data destruction without encryption. Hoping that WD will somehow find a way to deal with — apparently — factory-resetted devices, the firmware must be updated immediately to close the root of evil, being seen on many IoT-devices that were deployed in an „Fire-and-forget“-state with standard credentials or ancient firmware versions.
In the future, think of putting some convenience away and add another layer of security to your devices. Although it comes with a lack of comfort, using a dial-up-VPN-connection to your router/firewall is the first way of keeping the access to your devices more secure. Regularly checking for firmware updates and giving up on unsupported devices is yet another way of staying more secure. But — by all means — don’t bank on one or two single drives containing the data of your personal life!
There are, according to your preferred device, options to safely encrypt and backup NAS-contents to services like, for example, Wasabi (S3) or Synology C2 once in case a hardware-failure causes a data loss!