External hard drives connected to the Internet are a cheap and affordable way to access our information from anywhere with very low power consumption. Among this type of NAS with hard drives included we find those from Western Digital , which are the most popular. However, a malware is completely erasing the data on these hard drives overnight.
Specifically, the affected models are the Western Digital My Book Live and My Book Live Duo series , where several users are reporting that, overnight, hard drives have been reset to factory settings and have lost all the files they had stored in them.
WD My Book Live – All data erased
These hard drives feature Ethernet connectivity, allowing users to access files and manage devices remotely, even when the NAS is behind a router or firewall . Unfortunately, users of these hard drives are seeing how they cannot log into their devices remotely, and when accessing locally, they discover that the devices have been reset, and the data has been erased.
After analyzing the hard drive log, which is stored in the user.log file, users discovered that the hard drive received a remote command to perform a factory restore ( factoryRestore.sh: begin script:) . Users were hacked at the same time.
Western Digital has been investigating the case, and they claim that the bug is not related to a hack on their servers. The fault seems to be that it would be in the fact that these external hard drives received their last firmware update in 2015 , so they are exposed to all kinds of vulnerabilities from the last six years.
The only thing WD recommends doing right now is disconnecting your hard drives from the Internet and basically losing their remote access functionality because the company hasn’t updated the security of these older models for years.
You can recover deleted files
When performing a factory reset, it may still be possible to recover deleted files with programs such as Recuva or RecoveryRobot. It is possible that the company offers a solution also to recover the deleted files, so for now you can try to see if you can recover those files. When it comes to recovering them, it is important to choose another unit other than the external hard drive, since otherwise we would be overwriting the bits of the information that we want to recover.
These types of cases demonstrate how important security updates are on any device that has Internet access. WD released the My Books in 2011 , and stopped selling them at the end of 2013, releasing the latest update in 2015. If we look at the latest update on the first-generation WD My Cloud for example, the latest firmware was released on March 13, 2019, so more than two years have passed in which a similar vulnerability could make an appearance again. Therefore, it is convenient to disconnect it until the extent of the vulnerability is known and if it can affect more devices.