Endpoint Security , Governance & Risk Management , Open XDR
Should Western Digital Emergency-Patch Old NAS Devices?
As Attackers Wipe Outdated Devices, Company Promises Trade-In on Newer, Supported DevicesThe saga around how scores of aging Western Digital network-attached storage devices were remotely erased has deepened.
See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work
Researchers say the emergence of a zero-day software vulnerability appears to have played a role in combination with an older vulnerability. It appears that competing groups of attackers may be trying to corral the old devices - the My Book Live and My Book Live Duo NAS products - into a botnet.
Although Western Digital is advising that the devices be disconnected from the internet, they could be irrevocably compromised by attackers and should be retired, says Derek Abdine, CTO of Censys, a company that helps organizations monitor their network resources for security risks. Abdine says the master boot record may have been tampered with, although he says he has no evidence of it.
"I realize this is fairly extreme, but if someone has root access to a device of mine, I'm basically going to burn it to the ground and buy fresh hardware," Abdine tells me.
It appears Western Digital has realized the gravity of the problem. In an update to its June 24 advisory, the company says it will provide data recovery services to those affected. Also, it will launch a trade-in program to upgrade to a My Cloud device, a newer product line.
"Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement," the company says.
'Ticking Time Bombs'
The situation kicked off around June 24 when owners of the two types of Western Digital devices reported their data had suddenly been erased.
Western Digital introduced the drives in 2010, and the final firmware updates were issued in 2015 (see: Data-Wiping Attacks Hit Outdated Western Digital Devices).
Nonetheless, tens of thousands of users continued to use the still-functional devices after 2015. But their security risks arguably increased over time.
The mass erasure was thought to be solely linked to CVE-2018-18472, a remote command execution vulnerability revealed in June 2019. Western Digital apparently didn't fix that flaw, which was problematic on its own, given the wide use of the products.
The situation highlights the risks around manufacturers discontinuing security support for devices that are still in wide use, offering opportunity for attackers. There's a growing call for IoT device manufacturers to clearly state how long they will support devices, including security updates.
Brad Ree, CTO of the ioXt Alliance, a trade group that develops baseline IoT security specifications, says there's currently no way for consumers to know when they're putting themselves at risk.
"Devices like this are ticking time bombs, as consumers expect that the security of the device will last as long as the drives can still store data," Ree tells me.
Factory Reset Via Zero-Day Flaw
The latest twists in the Western Digital situation are outlined in an in-depth story from Ars Technica and a technical blog post written by Abdine.
The zero-day vulnerability can allow a remote attacker to trigger a factory reset, Abdine writes. For some reason, Western Digital had disabled lines of code in the factory reset feature that would have required authentication by a device's authorized user.
Western Digital says in an advisory that the zero-day vulnerability, CVE-2021-3594, "was introduced into My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware."
According to Western Digital, some attacks involving the older vulnerability, CVE-2018-18472, resulted in malware being installed. The company says that log files from the NAS products show malicious Linux ELF binaries for My Book Live's PowerPC architecture have been installed. The malware can be found here on VirusTotal.
The situation became a whole lot hairier when devices ended up being completely erased. It's not exactly clear what has transpired, but it's possible a different group of attackers discovered the zero-day vulnerability. That would have allowed those attackers to remotely erase a device.
Why attackers would trigger a factory reset on a mass scale is unknown, Abdine writes. The action might not have been aimed at wanton destruction, although that was the result.
Abdine writes that factory-resetting a NAS device might have also reset its configuration to the default login credentials of admin/admin, allowing different attackers to wrest control of someone else's bots.
Tens of thousands of the affected Western Digital devices are still connected to the internet. Abdine writes that Censys' search engine found 55,348 devices by looking for the installed TLS certificate. The U.S. has 29.8% of the devices, followed by the U.K. with 18.6% and Canada with 11.9%.
Maybe Still Patch?
There's a case to be made that perhaps Western Digital should patch the products or at least, in the future, pay closer attention to vulnerabilities found in its retired product lines.
Abdine tells me Microsoft has released patches for flaws in operating systems such as XP long after it reached end of life. Western Digital should update the firmware and release a new version, he says.
With the upgrade program and a program to help those customers affected by the data wipeout, Western Digital is making the right noises. But still - as mentioned before - the IoT space is seeing stronger demand for longer-term software support.
Regulators haven't set anything in law just yet. But there's an argument that even existing consumer protection laws require that device manufacturers should be responsible for ensuring their products are safe for a reasonable amount of time.
It's unlikely that manufacturers will be able to ignore security problems in their products that last years beyond the periods the companies want to support them. Can we imagine Tesla not updating the software in its vehicles after five years?
Extended support may mean we end up paying more initially for, say, a storage device. But perhaps there's comfort in knowing a vendor is doing its best to prevent attackers from coming along one day and wiping all your data.