Turns out it was reported to Western Digital in 2018. But since the devices were end-of-lifed in '15, they decided not to push an update that would have prevented this happening to their customers.
Nice company.
Here's the even better part.
It's possible the bug lives on in another of their products: "Wizcase [the security researcher who found the flaw] said the flaw it found in MyBook devices also may be present in certain models of WD MyCloud network attached storage (NAS) devices, although Western Digital’s advisory makes no mention of its MyCloud line being affected."
https://krebsonsecurity.com/2021/06/mybook-users-urged-to-unplug-devices-from-internet/And now for my rant.
This is why I am fundamentally opposed to Internet of Things devices and needlessly connecting things to the internet. Almost all of the companies that make these devices do not do a good job of supporting them and providing security updates because there's no continuing revenue stream: you buy them, or more precisely, once Best Buy or Amazon buys them, there's no continuing money going back to Western Digital or whoever to pay for their programmers to continue updating the software.
Also, these devices use an older, stripped-down version of Linux as their operating system so that it will run on low-powered CPUs. It simplifies programming and lets it run on lower-end CPUs which saves cost. And is more vulnerable to exploits. In this case, the vulnerability was discovered THREE YEARS AGO, and Western Digital was "*MEH*, not our problem. It's the customer's problem if they get stomped on, because they shouldn't be using hardware past its end of life connected to the internet."
How many people buying these devices and connecting them to the internet are security experts?
I'm not raising my hand, because I'm not a security expert. I know more than most non-experts, but I'm not a trained and certified expert. I do know enough not to trust things connected to the internet because they're inherently not trustworthy. The makers have no profit motive to keep them secure, and when it comes to devices like Alexa and such, while they are convenient, they are there to suck marketing information from your life. If you don't mind that, fine. I have no problem turning on lights and my stereo and selecting my own music by myself and I can look at the weather app on my phone to know if it might rain. Yes, I'm a bit of a luddite. I prefer to avoid my devices potentially being compromised.
The mistake people made with these Western Digital devices to access files across the internet was already a solved problem. It's known as SFTP. Western Digital is known for one thing - making hard drives. That's it. People shouldn't rely on them for anything beyond that. If you have a real need to access files remotely, then get a hosting account and/or set up an SFTP server and get your files that way.
A friend of mine did that exact thing when he did remote file installs for a software company, he traveled around the country doing these setups and kept software packages, updates, help scripts, etc on a server in his house that only he could access. Nowdays he could probably carry everything on a bunch of USB flash drives, but not back then.
I think the big question is, do you
really need to access all that data remotely, or do you just think it would be cool to be able to? And do you really need two terabytes worth, or could you pare it down to the point that it could fit in Dropbox/OneDrive/iCloud/Googlewhatever? Do you really need instant access to a letter that you wrote twelve years ago cancelling a credit card?
One last thing about backups and the value therein. There are three basic purposes to backups. One is catastrophic recovery: computer theft, hard drive crash, something like that. One is accidental file overwrite, another is file deletion. In the case of deletion, usually you can get it back from the recycle bin, but not always. In the case of overwrite, your only recourse is from backups, those are true OMG! moments. I've done that before. Recovery from backup is only as good as your most recent backup.
But here's the problem: system administrators have a rule of thumb that you don't have a backup until you've tested it by restoring a file from it. And you don't have a safe backup system unless you have at least one copy stored away from your home or business, i.e. off-site. If you're retired, this becomes a little tricky. Me, I have two sets of backup disks. At the start of the month, I take the disk that my iMac currently backs up to into work with me, and it goes into my desk. The disk that's there comes home, and gets plugged in. There's a second disk there that I use to back up our laptops, we currently have three. I refresh those monthly and that disk gets stored in a fire-resistant lockbox that we have here at the house, swapped with its partner at work.
I can inspect those disks with my laptop at work and test them when I have time. And I misspoke, we have four laptops: I also have a Windows laptop that has a slightly different backup routine, but that's another story. I'll talk about Windows backups another time.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
