The advisory says to remove it from the internet, but the device was originally on my LAN behind a NAT thus the only connection to the internet happened thru the WD Cloud (wdtogo2.com) service. Now that all my data is gone, and the device has been factory reset, what do I with it? How can I use it in my LAN without internet access. It does not make sense to connect it directly to an ethernet port in my computer, when the purpose is to create a shared location for multiple computers, but multiple computers are connected to the same router/switch which provides internet access. How do you remove internet access from My Book Live Duo, but still use it as a NAS?
Turn off remote access in the settings. I’ve done exactly that and I can still stream music and videos within my home.
If I understand the security issue on MBLD it’s only a threat if remote access is enabled. So unless you need to access the data on your drive from another location or when you’re away from home that should be sufficient.
I am not 100% sure if that will work - I don’t remember turning on any remote access on the device and it still got hacked. I am wondering the right (or complete) answer for this question as well - I have a perfectly fine mybookliveduo drive with 2x3TB drives sitting idle. Except of course for the cursed software on it with all the vulnerabilities that WD will never patch.
Perhaps there is a way to use the drives and the enclosure as-is but with a Raspberry Pi? Otherwise, I am planning to take the drives, put them in their own (individual) enclosures and attach them to a RPi and make a NAS using openmediavault software.
And no, I am not thrilled about the 40% discount here to get another one of WD’s ancient product (EX2, which was released in 2016!) which is likely going to be unsupported in a few years.
Sorry to hear about your predicament. I had remote access activated but did not get hacked. Perhaps I was lucky. I’m not sure I can contribute much more that is useful to you.
May I indulge your patience a little and ask you to check your settings to see if remote access was enabled or not in your case? If you had remote access disabled and still got hacked it would be beneficial for others in the WD community to know and learn from as well as myself.
@Tangent147, will check and update.
In the meanwhile, found this article:
https://www.clusterednetworks.com/blog/post/wd-my-book-live-security-fix
Video version: WD My Book Live Security Fix - YouTube
Seems promising! I am trying to get back the My Book Live Duo as a LAN-only device, so that it cannot connect to the internet nor can it be addressed from outside.
- Reflash the device with the latest (ugh, the one from 2015) firmware. This is important to erase any malware in case the hack involved changing any of your OS files, installing malware, etc.
- Disable Remote Access in the device
- Remove gateway IP in network settings
- Turn off UPNP (on the NAS and your router); although turning it off on the NAS may interfere with its visibility from other devices on the LAN (for e.g. my LG TV). Needs to be verified. It may be ok to just enable it on the router only (I have already done that).
3a) Check your router for any port forwards to the NAS IP. This is only present if you or someone in your household added it, but it is good to check and remove. - I am also planning to create a “software faraday cage” via my router (Deco X60) where I use the parental controls to turn off all internet access to the NAS pretty much entire 24/7/365.
Please add any other tips needed.
@Tangent147 - yes it seems like Remote Access was indeed enabled for me… now, I am not sure if that setting got turned on automatically after the hack-reset happened or not (i.e. if the reset, ended up resetting the settings as well to default values).
I have now implemented the above mentioned security changes and am reusing the MBL Duo. We’ll see, I am monitoring closely.
Unfortunately dealing with WD support is a nightmare. I spent over 2.5 hours on the phone only to be connected with a person who did not know anything about the vulnerability. They said they would send me a coupon to upgrade to a more recent device, but heck no. After this experience I am not going to ever buy a WD product. All they have to do is release a fix, even if not under support it does not take much for their engineers to edit the bad php file and make ensure the vulnerability is no longer present. This is a scam
Hi @Tangent147 How do you reflaash the device with the latest, if the latest is already installed. For example, I have MyBookLiveDuao 02.43.10-048:Core F/W installed, and the only available release from WD is the same version. I download it again, and it comes down as apnc-024310–48-20150507.deb but when I try to use update from file, it says invalid firmware package. I have checked it is properly downloaded.
I don’t recall enabling remote access on my device either perhaps during an automatic update it was enabled or re-enabled.
Sorry no idea.
Over the weekend, I bought a raspberry pi4b, installed openmediavault and emby media server… Connected a (Seagate) 2TB external hard drive via usb3 and I have a full fledged NAS in place. The MBL will be turned off shortly for good. The whole thing cost me less than $100 (I already had the ext hdd, so it was just the cost of the rpi at eighty bucks).
I plan to harvest the 2 x 3TB drives in the MBL into a cheap JBOD enclosure and use it with the NAS.
I thought of buying the Synology DS220+ at first but decided vendor lock-in is just bad. With the rpi, I have full control over all the pieces of the puzzle and if a particular piece of software goes dormant I can move to another. We have to see how this works.
Oh, btw, I put the rpi4 into an “no internet” cage via my routers parental controls feature. I will only enable it briefly whenever I need to update software. Otherwise there is absolutely zero reasons for any internet traffic to go in or out of the rpi. Upnp on the router has been turned off as well.
I don’t plan on buying any WD products in the future.
1 Like
You just download the firmware file and do the update exactly like u did before - it will reflash regardless of version.
The .Deb file is a package, that is definitely not what u want.
Thanks sat24, but there is no other firmware to download. The only other download is the gpl source which is not listed as download. https://support-en.wd.com/app/products/product-detail/p/231#WD_downloads unless you know of another location where it maybe posted.
My apologies. I went back and checked and my firmware I used to flash is exactly the same .Deb file. So I was wrong.
IMHO at this point, you may want to seriously throwing this device in the trash and using those hard drives in a different setup. With WD not supporting them, unless u r willing to compile ur own kernel etc. it is not easy to keep them running.
Thank you sat24. I agree, this is a dead weight device. I either bite with their 40% offer, which is expensive for my current needs, or find a vendor that has better suited needs. I still think that WD has done us wrong on this issue and they should have provided a patch, even if out of warranty.
2 Likes
I disabled internet access and did the following using ssh:
$ cd /var/www/Admin/webapp/classes/api/1.0/rest/device/
$ mv language_configuration.php language_configuration.php.xxx
on my single drive mybooklive as a temprary measure. I think this mitigates the worst of the security issues.
Maybe you could do the same on the duo, IDK because I don’t have one. Obviously this is not a solution if you need access from the internet.
I am working on getting an ex2 ultra at 40% off but it is a slog because WD is currently out of stock.
DECEITFUL!!
I decided to take their bait and send in my disk via their RMA process. Today I received the coupon, but it only allows you to purchase:
â–Ş My Cloud Home 2TB
â–Ş My Cloud Home 4TB
â–Ş My Cloud Home 6TB
â–Ş EX2 Ultra 4TB
â–Ş EX2 Ultra 8TB
The EX2 are the only ones that meet my requirements, but they are NOT in stock. The Cloud Home drives do not create a local NAS that I can use with my MFP printer/scanner to store and share documents. The cloud home products require internet connectivity and the reviews are full of reported security issues. This is so disappointing that an otherwise reputable company will engage in such deceitful practices of offering a coupon for products that are not in stock.
1 Like
@dswv42, I agree with you, but I want some value from my prior unit. At the very least they should allow the sku with zero drive to be purchased with this coupon. My requirement is very low, just need a share for my printer/scanner to save files when the computers are off, so I don’t have to use the pc when scanning. I am no longer going to trust my data to WD drives. There is cheaper and better options in the cloud providers.
Since the hack, I’ve reset and reformatted my MBLD and connected it directly (ethernet) to my Mac. I am using it solely for TimeMachine backups. The Mac is connected wirelessly to a small home network. My router doesn’t appear to see the MBLD. Does this mean that the MBLD is secure and safe from further hacks?
