A zero-day vulnerability in Western Digital My Book Live NAS device has allowed a threat actor to perform a mass-factory reset of devices last week including admin passwords. Once reset, the user will lost the data and will not be able to access their accounts.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Craig Young
Craig Young , Principal Security Researcher
InfoSec Expert
July 1, 2021 1:05 pm

<p>This is a particularly interesting case because we don’t often see widespread zero-day attacks like this and there is no clear motivation for the attacks. As far as I know, targets were indiscriminate and did not focus on a particular region or userbase. The attacks may have been someone’s attempt to draw attention to poor IoT security practices or it may have just been someone in it ‘for the lulz’. It’s possible that we’ll never know who was behind this campaign or why.</p> <p>&nbsp;</p> <p>The vulnerability itself is also interesting. This was enabled by an authentication bypass in the factory reset functionality, but a review of that script shows that the authentication handling code had been commented out. I suspect the product once enforced password authentication before reset but that this may have led to a usability issue such that the vendor made the conscious decision to disable password verification on this script. A researcher reviewing the firmware can then find this oversight, recreate the appropriate request, and trigger a factory reset without a password. The fact that a vendor would intentionally ship code like this on a product which is regularly exposed to the Internet is alarming.</p> <p>&nbsp;</p> <p>It is unfortunately very common to find that vendors take shortcuts with respect to authorization and authentication on embedded devices in order to simplify the user experience. Without serious third-party scrutiny, it is nearly impossible for the average consumer to get a sense of whether any given product has been designed securely. When buying IoT gadgets, consumers must consider the consequences of an attack against this system and use this to inform their behavior. Having your own “cloud storage” device is great, but if disclosure or destruction of this data would be devastating, it is critical that the system be secure.</p>

Last edited 1 year ago by Craig Young
Would love your thoughts, please comment.x