Western Digital: Where Things Went Wrong & 3 Steps for Product Managers to Remedy
This month has been off to a bad start for My Book Live & My Cloud users and even worse for Western Digital.
It all started with Ars Technica publishing a write-up of how hackers exploited a 0-day to clear My Book Live devices of all user data. A series of brand-damaging media coverage pursued and then a week later, yet another vulnerability was discovered on their My Cloud NAS boxes which worked to really fan the flames of an already burning brand.
Western Digital had the storage of their My Book Live and My Book Live Duo devices completely wiped. As users fumed about losing years worth of data, security researchers explained that this was due to two vulnerabilities; the first of which was a remote code execution (RCE) that enabled it to be compromised, the second, a critical security bug that allowed hackers to remotely perform a factory reset without a password.
The later exposed vulnerability involves an attack chain that allows an unauthenticated intruder to execute root code and install a permanent backdoor on the MyBook cloud network-attached storage (NAS) device. Effectively providing a backdoor entrance for hackers to put in any malware they like, that’s impossible to remove even after a reboot.
In these situations, the best defense is always offense. An endpoint detection and response agent, specifically tailored for IoT devices, will keep these types of incidents at bay. We detail how product processes enabled these exploits to occur and what product managers can do to remedy them.
The My Book Live is Dead
Western Digital stopped supporting the My Book Live in 2015. The first remote command execution vulnerability surfaced in late 2018, but because it was found three years after Western Digital stopped supporting the device, the bug was never fixed. The My Book Live attack is significant not only because hackers were able to wipe petabytes of user data from each device, but also because it was a Western Digital developer that had actively removed code that required a valid user password before allowing a factory reset to be made.
Their decision to stop supporting the My Book Live device may be due to it no longer being profitable, but that doesn’t mean that hackers took up the memo. On the contrary, popular devices that are no longer supported represent a gold target for hackers as they provide a potential opening that’s freely exposed. Removing the code that required a valid user password to access the device, was an unjustifiable risk, most likely a critical oversight.
My Cloud in No Man’s Land
The NAS device vulnerability is found on the old My Cloud 3 operating system which, again, is another device no-longer-supported, and is effectively sitting in no man’s land when it comes to security patching. According to Radek Domanski and Pedro Ribeiro, the security researchers who discovered the exploit, the My Cloud OS 3 was replaced by the My Cloud OS 5, an almost total rewrite of its predecessor – but slimmer. On the one hand, the OS 5 no longer has the bug, but it also no longer has many of the popular functionalities and features. For that reason, the researchers feel many users are unlikely to upgrade, a sentiment that certainly seemed to be the case on Western Digital’s support forum where many OS 3 users were complaining about their data vanishing.
Western Digital knew about the flaw affecting OS 3 several months before support ended for this platform. While their focus was clearly on releasing a new major version that included the security fix, they should have also backported the fix on the OS 3 in the considerable time that they had before putting it out to pasture.
All Quiet on the Western Front
In both cases, Western Digital failed to respond to security researchers who actually found 5 critical remote code execution flaws and published their findings back in November 2020. Instead, their response was a veritable shrug of the shoulders, not ever having clarified if any of the discovered flaws were being patched. At their most responsive, they released a recommendation for users to ditch OS 3 and upgrade to OS 5.
The critical remedies for product managers
As bad as things look, Western Digital can salvage their reputation in these critical next few days, as the public is watching to see how they respond to these exposed vulnerabilities.
- Publicize commitment to security & accept responsibility
Western Digital will need to demonstrate and publicize its commitment to the security and privacy of its users around the world. The company has clearly developed its brand on the basis of its social conscience and ethics, and therefore it’s especially important that in this circumstance they walk the talk and accept responsibility. If they choose to sweep the event under the rug or defer blame it will look bad and be perceived as weak and hypocritical. The tireless effort to establish customer loyalty and trust will be severely undermined.
- Put proof behind the commitment & demonstrate the new security measures
They will need to detail the additional security measures that they are taking to prevent similar RCEs from occurring in the future. This will mean continuing to patch devices and OS that are no longer actively supported. This could be part of a larger protocol on how the security of old devices will be maintained as new flaws come to light that will undoubtedly still affect users. Customer reassurance must be demonstrated, not just promised, providing the details of how these vulnerabilities will be closed is critical.
- Build resilience against future exploits & get real-time security on the device
Where a manufacturer is no longer supporting a device, a proactive security layer becomes critical towards minimizing the risk of its continued use. Even if a product version is put out to pasture, a proactive security solution on the device will still continue to operate and monitor for any exploits, malware, and unusual behavior. will keep security under wraps, even if the manufacturer has moved on.