More than two exploits are used to cause the mass deletion of data from WD My Book Live NASes. When news broke that people were finding that their data was missing, pointed to a known exploit from 2018, which allowed for root access of the device.
The second exploit, doesn’t give an attacker full control over the device like the other exploit. It just allows them to remotely wipe the device without having to know the password.
WD says the code that was deactivated was intentional, and was due to the company refactoring how the authentication was done on the device. However, the company says the exploit was introduced when the refactor failed to add the correct authentication type, resulting in the vulnerability.
The data deletion happened as the result of a fight between hackers, with one botnet owner potentially trying to take over or disrupt another’s. One hacker was using the known exploit to control the devices for some nefarious purposes. Then, another entity used the unknown remote wipe exploit to erase those devices. It likely would’ve removed the first entity’s access to the hardware but users’ data was caught in the crossfire.
The theory does make sense, given the competing nature of the exploits used. (Why would a hacker burn a previously unreported exploit to factory reset the machines after already having root access?) That said, in WD’s security advisory it says that, in some cases, it was the same party that used both exploits. In a statement to Ars, WD said it was “not clear why the attackers exploited both vulnerabilities.”
Also included in WD’s update is a plan to help My Book Live owners: the company will be providing data recovery services, and offering a trade-in program that will allow customers to get a device that’s currently receiving software support.