top of page
Search
kendricksimcoe860l
Aug 13, 20236 min read

Firmware Update Wd My Book Live Duo Setup: What You Need to Know Before Updating Your Device



Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning. The vulnerabilities being exploited in this attack are limited to the My Book Live series, which was introduced to the market in 2010 and received a final firmware update in 2015. These vulnerabilities do not affect our current My Cloud product family.




Firmware Update Wd My Book Live Duo Setup



The first indication of the problem came in a June 23post to the WD support forums by user "sunpeak" about a now-empty My Book Live device("somehow all the data on it is gone today"), though the 2TBdevice had been nearly full before that. Sunpeak also reported that theadministrative password had been changed so they could not log into thedevice. It was not long beforeothers added their stories of woe to the thread. In the early going, there was concernthat WD had released some kind of firmware update that caused thisbehavior, but it turns out that those devices have had no updates for quitesome time at this point.


WD posted an update explaining that the commented-out checks weren't the actual problem: ( )> We have heard concerns about the nature of this vulnerability and are sharing technical details to address these questions. We have determined that the unauthenticated factory reset vulnerability was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware. The refactor centralized the authentication logic into a single file, which is present on the device as includes/component_config.php and contains the authentication type required by each endpoint. In this refactor, the authentication logic in system_factory_restore.php was correctly disabled, but the appropriate authentication type of ADMIN_AUTH_LAN_ALL was not added to component_config.php, resulting in the vulnerability. The same refactor removed authentication logic from other files and correctly added the appropriate authentication type to the component_config.php file.That explanation doesn't reflect any better on their software engineering competence, though - it still sounds like a bunch of cobbled-together PHP and shell scripts with inadequate testing. And it doesn't reflect well on their decision to stop providing security updates for an internet-connected device that is specifically designed for long-term data storage, where it's obvious that people will keep using it for many years after it's been discontinued and will be seriously hurt if the device is exploited.WD also say:> For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services. My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement.so at least they'll be paying some cost for their mistakes.It's quite possible they've had a cultural change and started taking security a lot more seriously since 2011 when they wrote that buggy PHP code; but it's also quite possible they haven't; so I guess it'll take a lot of effort if they want to earn people's trust in their ability to securely store data. An unpleasant surprise for My Book Live owners Posted Jun 30, 2021 20:49 UTC (Wed) by Paf (subscriber, #91811) [Link]


OpenWRT has supported My Book Live for almost five years now (anniversary in two weeks): =openwrt/openwrt.git;a=commit;h..., _digital/mybooklive. Debian used to mostly work, before the removal of powerpc support in stretch. An unpleasant surprise for My Book Live owners Posted Aug 2, 2021 16:38 UTC (Mon) by mcortese (guest, #52099) [Link]


Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.


We have determined that some My Book Live devices have been compromised by a threat actor. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015.


There's no evidence Western Digital cloud services, firmware update servers, or customer credentials were compromised. However, if you have lost data as a result of these vulnerabilities and attacks, you can expect data recovery services to be provided by Western Digital beginning in July. My Book Live device owners will also be offered a trade-in program to upgrade to a My Cloud device, which still benefit from active support. Details of both the data recovery service and trade-in programs will be released separately in the near future.


You may find it challenging to open up your WD My book Live yourself to extract its hard drive. If that is the case, you can take help from a hardware expert. It is a careful process, and mishandling anything can damage your WD My Book live hinges. For a quick solution, you can watch the video below.


While details about the "how" and "why" of this particular incident are thin on the ground, Western Digital noted its My Book Live NAS devices last received a firmware update in 2015. In practice, this means almost seven years of security vulnerabilities that haven't been patched, leaving users at risk.


The original firmware is even more complicated: the root filesystem is on a raid with four members. There are two copies on each disk, they are used in firmware update process (disassemble raid, update first partition on each disk, if it boots normally, then reassemble the raid with the new firmware).


The MyBook Live is delivered with a Lenny linux based system. Any update of the WD firmware wipes out your own installed upgrades and new packages. The delivered firmware is not compatible with all upgrades you can make. We will try to list known problems mostly related to packages very near from the system (exemple : udev), or related to WD Web System Management ( //yourIP/UI).


4. If you upgrade the firmware through WD's UI, all customizations will be removed. This does not include SSH access, but it includes packages, kernel modules, SSH keys in /root/.ssh, everything that is not configured through the Web UI.WD's upgrade is actually very clever: the system's root partition is a 'fake RAID' (two 2GB partitions on the same disk) and during upgrade, they disable one copy of the copies, install a new partition image, then synchronize the fake RAID, and reboot. So everything gets overwritten. This can also help if something is broken - just upgrade the firmware again, and everything will be reset to normal. You can force a firmware upgrade by making the Mybook Live think it has an old version:


Last June 25, US-based company Western Digital recommended to users to disconnect their My Book Live and My Book Live Duo devices from the internet to protect their data on these devices. My Book Live and My Book Live Duo devices were introduced to the market in 2010 and these devices received their final firmware update in 2015.


I am also having the same problem, backing up my new imac (1 month old) with lion on to a WD mybooklive that I previously used to successfully back up 2 windows PCs running Vista (no probs). I was initially planning to reset the WD drive to factory settings and then try the time machie back up- my reasoning being that mac and windows back ups on same drive causes the problem. I then thought I might just call the mac support people! :-)


any idea how to backup specific folders on Mac on the mybook live duo? i could back up full pc on timemachine or so however i can not access my files as photos and music and documents like i used to do when backing up a windows laptop.


These devices haven't had a firmware update since 2015, so it's perhaps unsurprising that an exploit such as this exists. It appears as though the vulnerability has been known since 2019, too, so this is a terrible look for a company specializing in the area of data storage. Let's help it does all it can to help those who have lost years' worth of data.


The My Book Live and My Book Live Duo products have been discontinued, with the last firmware updates released in 2015. WD says its newer products are not impacted and claims there is no evidence that its cloud services, firmware update servers, or customer credentials have been compromised.


Western Digital's investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised, the company says. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning. 2ff7e9595c


0 views0 comments

Recent Posts

See All

Apk do príncipe do xadrez

Chess Prince APK: um jogo de estratégia para dispositivos Android Se você gosta de xadrez e tem um dispositivo Android, talvez queira...

0 comments

Comments

bottom of page