On June 23rd, WD Community Forum user sunspeak created a forum post that would ultimately spearhead the community outcry over the wiping of My Book Live devices. There have now been over 46,000 views and 763 replies on that post at the time of writing, some of which have devolved into fighting whether a company can just “end-of-life” (EOL) a product and not support it when there are glaring security issues. In any case, it seems the unpatched 2018 vulnerability was not the only thing at play here.
We now know that the attackers were using the 2018 vulnerability to download a malicious payload, run it, and join the WD My Book Live devices to a botnet, as researchers at Censys explain. Then, the attacker password-protected their way in so, in theory, no one else could come in and take their work to build the botnet. However, this does not explain why some users found that their devices were being factory reset.
As it turns out, the mass device wipes are part of a separate unauthenticated 0-day vulnerability in an endpoint named system_factory_restore, which does what the name implies. When the Censys team unpacked the firmware Western Digital shipped and looked at this endpoint, they surprisingly found the “authentication code commented out (disabled) at the top.” In short, this means a simple request to this endpoint would trigger the factory restore process without any authentication.
It is speculated that the mass-device wiping that occurred “could be an attempt at a rival botnet operator to take over these devices or render them useless, or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015.” Whatever the case is, there are still 55,348 WD My Book Live devices across the…