Western Digital’s network hard drives from the My Book Live and My Book Live Duo series could be attacked unnoticed for at least two years. One of the reasons for this is a security hole with the CVE number CVE-2018-18472, with which strangers can only access the storage via the IP addresses of the hard drives.
At least this security gap led to the loss of data on many HDDs of the My Book Live series. In one Western Digital writes blog postthat Trojans were found on affected models that were caused by the CVE-2018-18472 vulnerability were introduced. The National Vulnerability Database (NVD) classifies the latter with a high security risk of 9.8.
The CVE entry has existed since mid-2019. However, Western Digital does not offer firmware updates as the My Book Live series was discontinued in 2014. The urgent recommendation therefore continues to be to separate the relevant hard drives from the Internet and only operate them in a local network.
The website Ars Technica meanwhile makes a second security hole of the My Book Live HDDs that security researchers found as a result of the large-scale attack on the models. Accordingly, Western Digital (presumably accidentally) removed a security query that required a password for a factory reset. At least the data on some hard drives should have been deleted in this way without a password, as the manufacturer said Ars Technica confirmed.
Of a purely speculative nature are the considerations that two factions could have gotten into each other’s enclosure. Theoretically, someone could have built a botnet with the network hard drives over the past few years – they contain small PowerPC processors – which the Trojans found speak for. The resetting to the factory condition, which may have come from a second party, is atypical. However, there is no evidence of this.