How do I use WD My Book Live Duo after WDC-21008 attack?

The advisory says to remove it from the internet, but the device was originally on my LAN behind a NAT thus the only connection to the internet happened thru the WD Cloud (wdtogo2.com) service. Now that all my data is gone, and the device has been factory reset, what do I with it? How can I use it in my LAN without internet access. It does not make sense to connect it directly to an ethernet port in my computer, when the purpose is to create a shared location for multiple computers, but multiple computers are connected to the same router/switch which provides internet access. How do you remove internet access from My Book Live Duo, but still use it as a NAS?

Turn off remote access in the settings. I’ve done exactly that and I can still stream music and videos within my home.

If I understand the security issue on MBLD it’s only a threat if remote access is enabled. So unless you need to access the data on your drive from another location or when you’re away from home that should be sufficient.

I am not 100% sure if that will work - I don’t remember turning on any remote access on the device and it still got hacked. I am wondering the right (or complete) answer for this question as well - I have a perfectly fine mybookliveduo drive with 2x3TB drives sitting idle. Except of course for the cursed software on it with all the vulnerabilities that WD will never patch.

Perhaps there is a way to use the drives and the enclosure as-is but with a Raspberry Pi? Otherwise, I am planning to take the drives, put them in their own (individual) enclosures and attach them to a RPi and make a NAS using openmediavault software.

And no, I am not thrilled about the 40% discount here to get another one of WD’s ancient product (EX2, which was released in 2016!) which is likely going to be unsupported in a few years.

Sorry to hear about your predicament. I had remote access activated but did not get hacked. Perhaps I was lucky. I’m not sure I can contribute much more that is useful to you.

May I indulge your patience a little and ask you to check your settings to see if remote access was enabled or not in your case? If you had remote access disabled and still got hacked it would be beneficial for others in the WD community to know and learn from as well as myself.

@Tangent147, will check and update.

In the meanwhile, found this article:
https://www.clusterednetworks.com/blog/post/wd-my-book-live-security-fix
Video version: WD My Book Live Security Fix - YouTube

Seems promising! I am trying to get back the My Book Live Duo as a LAN-only device, so that it cannot connect to the internet nor can it be addressed from outside.

  1. Reflash the device with the latest (ugh, the one from 2015) firmware. This is important to erase any malware in case the hack involved changing any of your OS files, installing malware, etc.
  2. Disable Remote Access in the device
  3. Remove gateway IP in network settings
  4. Turn off UPNP (on the NAS and your router); although turning it off on the NAS may interfere with its visibility from other devices on the LAN (for e.g. my LG TV). Needs to be verified. It may be ok to just enable it on the router only (I have already done that).
    3a) Check your router for any port forwards to the NAS IP. This is only present if you or someone in your household added it, but it is good to check and remove.
  5. I am also planning to create a “software faraday cage” via my router (Deco X60) where I use the parental controls to turn off all internet access to the NAS pretty much entire 24/7/365.

Please add any other tips needed.

@Tangent147 - yes it seems like Remote Access was indeed enabled for me… now, I am not sure if that setting got turned on automatically after the hack-reset happened or not (i.e. if the reset, ended up resetting the settings as well to default values).

I have now implemented the above mentioned security changes and am reusing the MBL Duo. We’ll see, I am monitoring closely.

Unfortunately dealing with WD support is a nightmare. I spent over 2.5 hours on the phone only to be connected with a person who did not know anything about the vulnerability. They said they would send me a coupon to upgrade to a more recent device, but heck no. After this experience I am not going to ever buy a WD product. All they have to do is release a fix, even if not under support it does not take much for their engineers to edit the bad php file and make ensure the vulnerability is no longer present. This is a scam

Hi @Tangent147 How do you reflaash the device with the latest, if the latest is already installed. For example, I have MyBookLiveDuao 02.43.10-048:Core F/W installed, and the only available release from WD is the same version. I download it again, and it comes down as apnc-024310–48-20150507.deb but when I try to use update from file, it says invalid firmware package. I have checked it is properly downloaded.

I don’t recall enabling remote access on my device either perhaps during an automatic update it was enabled or re-enabled.

Sorry no idea.

Over the weekend, I bought a raspberry pi4b, installed openmediavault and emby media server… Connected a (Seagate) 2TB external hard drive via usb3 and I have a full fledged NAS in place. The MBL will be turned off shortly for good. The whole thing cost me less than $100 (I already had the ext hdd, so it was just the cost of the rpi at eighty bucks).

I plan to harvest the 2 x 3TB drives in the MBL into a cheap JBOD enclosure and use it with the NAS.

I thought of buying the Synology DS220+ at first but decided vendor lock-in is just bad. With the rpi, I have full control over all the pieces of the puzzle and if a particular piece of software goes dormant I can move to another. We have to see how this works.

Oh, btw, I put the rpi4 into an “no internet” cage via my routers parental controls feature. I will only enable it briefly whenever I need to update software. Otherwise there is absolutely zero reasons for any internet traffic to go in or out of the rpi. Upnp on the router has been turned off as well.

I don’t plan on buying any WD products in the future.

You just download the firmware file and do the update exactly like u did before - it will reflash regardless of version.

The .Deb file is a package, that is definitely not what u want.

Thanks sat24, but there is no other firmware to download. The only other download is the gpl source which is not listed as download. https://support-en.wd.com/app/products/product-detail/p/231#WD_downloads unless you know of another location where it maybe posted.

My apologies. I went back and checked and my firmware I used to flash is exactly the same .Deb file. So I was wrong.

IMHO at this point, you may want to seriously throwing this device in the trash and using those hard drives in a different setup. With WD not supporting them, unless u r willing to compile ur own kernel etc. it is not easy to keep them running.

Thank you sat24. I agree, this is a dead weight device. I either bite with their 40% offer, which is expensive for my current needs, or find a vendor that has better suited needs. I still think that WD has done us wrong on this issue and they should have provided a patch, even if out of warranty.

1 Like