Security & Privacy

Got a WD My Book Live device? Your data is at risk—here’s what to do

Posted on July 7th, 2021 by

In the past few weeks, many users of Western Digital network-connected storage devices have found that their data was remotely wiped by hackers. Hackers took advantage of a bug in the devices’ firmware of certain older devices, along with a zero-day vulnerability in some newer devices. While this vulnerability has been fixed in a recent version of the newer devices’ operating system, many users cannot upgrade to this new version, because their devices do not support it. Also, many users do not want to upgrade to this new version because it is not working well.

These issues affect a number of Western Digital My Book Live and My Book Live Duo devices:

My Book Live:

WDBACG0030HCH
WDBACG0020HCH
WDBACG0010HCH

My Book Live Duo:

WDBVHT0080JCH
WDBVHT0060JCH
WDBVHT0040JCH

These devices are a type of network-attached storage device (NAS), which are popular because they offer large amounts of storage that is accessible remotely. Unlike, say, an iCloud Drive, Dropbox, or OneDrive account, these devices can hold large amounts of data, limited only by the size of the hard drives they contain. While the affected devices were sold with storage from 1 to 8 TB, Western Digital currently sells models with up to 36 TB storage. For users who need access to lots of data, they can be cheaper than a cloud storage subscription, and provide full control over the data. Note that the company’s My Book and My Book Duo devices, which do not connect to the internet, are affected by this issue.

These cloud devices are popular with photographers, who need large amounts of storage for their photos, and often want to have remote access to store photos when on shoots. However, as PetaPixel notes, many features are unavailable, and there are problems with the new software. “The newest firmware eliminates integration with Google, Dropbox, One Drive and Adobe. Further, thumbnail generation, which some users don’t need or want, can cause ‘unending indexing’ or even freeze the device.”

How were these Western Digital devices attacked?

It seems that part of this exploit was made public by a pair of security researchers who planned to use it in the Pwn2Own hacking competition in Tokyo in 2020. Just before the event was due to take place, Western Digital released a newer version of the operating system that fixed the issue for select devices, so the researchers could no longer enter the contest.

However, in February of this year, the researchers posted a video on YouTube showing how they discovered the vulnerabilities, effectively making public their existence.

How to fix, recover data from, or upgrade your WD My Book Live

Given that many devices running the My Cloud OS 3 software, which were vulnerable, could not upgrade to My Cloud OS 5, the security researchers released a patch to fix the vulnerabilities they had discovered. But this patch – in the form of a shell script – needs to be applied each time the device is started up, and most users of the devices are not aware of its existence. In addition, Western Digital is not supporting this patch, and has not issued their own.

If you have one of the older devices, there isn’t much you can do. If you’ve lost data, Western Digital is offering a data recovery service for these devices, and it is possible that they can recover data. Unless the data was overwritten on the devices when deleted, there’s a good chance that much or all of the data can be recovered. This said, it’s important to note one condition: Western Digital says: “The Qualifying Product must be determined to have suffered a data loss prior to July 1, 2021.”

The company is also offering a discount for users who want to trade in their older devices, which cannot be patched, to newer devices of the same type.

So, if you have one of these devices, here’s what you should do.

  • Take the devices offline immediately: it’s not known how many people are exploiting this vulnerabilities, but the devices are certainly vulnerable.
  • Back up all the data on these devices: you should never have just one copy of data, especially on a device like this. If you use one of these devices for backups, then replace them with something else, or make additional backups.
  • Upgrade to My Cloud OS 5 software if you can: if your device supports the new software, upgrade immediately. If not, keep the device offline.
  • Take advantage of Western Digital’s trade-in discount: it’s no use keeping one of these older devices, since Western Digital has said that “We will not provide any further security updates to the My Cloud OS3 firmware.” A 40% discount is not bad, if you do want a new device.
  • Contact Western Digital for data recovery, if you have lost data, get in touch with Western Digital to see if they can help you.

Lessons learned

Note that even though the affected devices are fairly old, they may still be sold online or in retail. You should definitely not buy any device of this type, either new or used, unless you’re sure it can run the newer firmware. None of the affected devices are currently sold by Western Digital; they were last manufactured in late 2013, and the company issued an end-of-life warning in late 2019.

If there’s a lesson to be learned here, it is about being aware when your connected devices are no longer receiving security updates. Given the age of these devices, it’s not surprising that the company stopped updating the software. They supported them for six years after they were last manufactured, which seems like a fair amount of time for such support. But WD and other companies need to do a better job of informing customers when devices will no longer receive security updates.

And it’s not just WD MyBook Live devices that are perilously outdated and sometimes still available for sale. You may find seemingly great prices on various Apple devices like iPhone, iPad or iPod touch, or discounted Wi-Fi routers, Android devices including smartphones and tablets, or Internet of Things (IoT) devices, on retail sites like Amazon or resale sites like eBay. It’s very important to do your own careful research before you buy any Internet-connected device to make sure the manufacturer is still selling it, which is usually a good sign that the company is still releasing security updates for it.

Find out how to avoid buying dangerous tech products here:

Caution! These Black Friday “deals” may be bad for your security

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

We talked about this issues with WD drives and more in episode 195 of the Intego Mac Podcast.

You can also subscribe to our e-mail newsletter and keep an eye here on Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Facebook, Instagram, Twitter, and YouTube.

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →