A short while back, I posted about the Western Digital MyBook Live vulnerability. Now that the dust has settled, I’ll go more in depth on what happened and what can be learned from this situation going forward.
Here is a brief summary. Western Digital’s MyBook Live is a Network Attached Storage (NAS) device, which is primarily used by residential and small business users to store or backup their data, such as pictures, documents, accounting records, etc. Like many of today’s electronics, these devices are connected to the internet to allow the user to access their data from anywhere. Released for sale in 2010, the MyBook Live devices were supported for 5 years and received a final firmware update in 2015. At that time, Western Digital released a new hardware model that ran My Cloud OS 3 firmware, which was eventually replaced by My Cloud OS 5 in 2020. When My Cloud OS 5 firmware was released, Western Digital ceased supporting My Cloud OS 3, but not all hardware models were capable of upgrading to Version 5.
In June 2021, some users of these devices discovered that all data stored on their MyBook Live had been lost, due to a vulnerability in the firmware that had been used maliciously to remotely erase people’s data. It was soon realized that the newer hardware devices running My Cloud OS 3 had a similar vulnerability. Since Western Digital no longer updates My Book Live and My Cloud OS 3, the users of these devices are now forced to consider the purchase of a newer model to ensure security of their data.
My intent is not to drag Western Digital down because they have a vulnerability in their software. All software has vulnerabilities in it, some known and many that are unknown. But there are a few takeaways that we can learn from this situation, particularly regarding similar internet-connected devices.
Keep your devices up to date. A lot of people put off doing software/firmware updates on their devices, thinking they may cause more issues than they solve. Unfortunately, this delay results in important security fixes going unpatched, which can leave you and your data at risk. Without regular software updates, vulnerabilities like this can go dormant for almost a decade, before being exploited as we saw with My Book Live.
A device’s lifespan doesn’t start when you buy it - it starts when it is first released. Buying last generation electronic devices can result in good deals and significant savings. But if you are buying an older product that the manufacturer no longer supports, you leave yourself open to vulnerabilities that could be exploited in the future. When I make product recommendations to customers, I aim to get them the most life and value from the purchased product as possible.
Buy products from companies that are known for those types of products. These companies typically provide better overall support and security updates long after the product has been discontinued, as they have a larger investment in making sure that product continues to perform well. As a result, I prefer buying products from companies who specialize in the product I’m buying/selling. For example, Western Digital is a very good brand, and I exclusively use Western Digital Hard Drive and Solid State Drives in my personal and clients’ equipment. However, NAS Drives, while related, would be considered a secondary product line for Western Digital.
Buy products from reputable brands. Some online marketplaces have become filled with knock off and unknown brands selling products at much cheaper prices than their mainstream brand competition. Product support from these unknown brands is generally non-existent, security updates should not be expected, and security on these devices is generally pretty low to begin with. Security updates are an easy place to save money because very few people are looking for them, so a lot of these knock off companies just choose to ignore them. However, this cost-saving measure leaves the user particularly vulnerable.
Every device on your network is a potential door into your house - without regular security updates, you are essentially leaving the door wide open for anyone to walk in. Keep in mind, people all over the world are looking for software weaknesses to exploit. These devices, once compromised, can let attackers into your entire network to search out other vulnerabilities to exploit. These are all things I keep in mind with the products we recommend to our customers. If you have any questions at all on this subject, please reach out or leave a comment. I am glad to assist in any way I can.
Comments