WD My Book devices are being factory reset remotely

WD’s My Book NAS owners, worldwide reported their device was reset to factory settings on its own and all the data being erased with it.

Western Digital’s My Book is a storage device that works remotely through your network connection. It is designed like a book which you can keep at your desk. It can be accessed remotely by the owner using the WD My Book Live app, allowing the owner to manage their files and devices remotely, even if the NAS is behind a firewall or router.

On 24th June, WD My Book owners worldwide reported their files were deleted and they could no longer log in to the device via a browser or an app. When they attempted to log in via the Web dashboard, the device stated that they had an “Invalid password.”

“I have a WD My Book live connected to my home LAN and worked fine for years. I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity,” a WD My Book owner reported on the Western Digital Community Forums.

Soon several owners reported this on the WD Forum and it was confirmed that the problem is on a large scale. Users then reported their device received a remote command to perform a factory reset starting at around 3 PM yesterday and through the night.

Jun 23 15:14:05 My BookLive factoryRestore.sh: begin script:

Jun 23 15:14:05 My BookLive shutdown[24582]: shutting down for system reboot

Jun 23 16:02:26 My BookLive S15mountDataVolume.sh: begin script: start

Jun 23 16:02:29 My BookLive _: pkg: wd-nas

Jun 23 16:02:30 My BookLive _: pkg: networking-general

Jun 23 16:02:30 My BookLive _: pkg: apache-php-webdav

Jun 23 16:02:31 My BookLive _: pkg: date-time

Jun 23 16:02:31 My BookLive _: pkg: alerts

Jun 23 16:02:31 My BookLive logger: hostname=My BookLive

Jun 23 16:02:32 My BookLive _: pkg: admin-rest-api

WD’s My Book devices are stored behind a firewall and communicate through the My Book Live cloud servers to provide remote access. Since it is not like a QNAP device, it’s pointless to think that the attack was a QLocker Ransomware.

“At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device,” Western Digital said in an advisory.

“Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.” – Western Digital