I'd love to take a moment to talk about the quality of the code (assuming that the full code listing that the Ars article links to is accurate).
It's pretty clear that there are no coding standards, sparse comments (literally just 1), lots of mixed tab/spacing, misspelled names, etc.
Furthermore, the fact that this got into production shows that either the code wasn't even reviewed prior to release and/or it wasn't reviewed carefully.
I think this goes to a much larger issue of devices in this so-called IoT world we live in now. So many of these devices are built by "hardware-first" companies, who oftentimes put very little budget, time or emphasis on the software side of things. As people's daily lives depend more and more on IoT devices, I think this should be more and more of a concern: it doesn't matter how good the hardware is and/or how cost efficient a company's hardware production capability is if you don't value the quality in the software that runs said hardware.
(Full Disclosure: I'm a full-time independent software developer who has worked on many IoT projects, working directly with hardware and device manufacturers)
This is probably also reflected by the fact that they stopped patching it relatively early in its life. Three years of patches for what is effectively an internet-connected hard drive, presumably one that its target audience is going to be using for many years as something that “just works,” reflects a disinterest by Western Digital in living up to its own sales pitch.
Right - if the hardware is no longer selling (due to missing sales targets) then there's little incentive for the companies to still invest significant resources into maintaining it. Of course one option would be to open source it entirely and turn it over the community for long term support, but the companies like holding onto whatever little bits of IP they can (even if they are largely just implementing open source software to begin with, and nothing super speceial).
This is a problem. I don't know the solution, except that companies should really commit to LTS support of things no matter the sales targets.
> This is a problem. I don't know the solution, except that companies should really commit to LTS support of things no matter the sales targets.
The EU and US could mandate that all products sold in the EU/US have their firmware source code, working toolchain as a virtual machine image and all relevant documentation (including SoC docs, BOM and schematics, as well as case and other parts' 3D specs and any digital certificates and private keys) be held in trust at the national public libraries. When the manufacturer ceases to support the device - including not fixing critical security bugs at 90 days post disclosure - the complete archive is released to the public as open source.
Additionally, the US and EU could mandate that any Internet connected device's firmware as well as its development process must pass an audit at certified organizations such as TÜV or UL. We're doing this for electrical and gas appliances already due to the risk these things pose to the general public, it's time to do the same for IT.
Products developed as open source can be exempted from the audit requirement to incentivize open source development.
I've had similar ideas, but with IP/DMCA rights/enforcement being conditional on depositing keys and source code with the Library of Congress, to hold in a sort of public escrow. Maybe even require it for FCC certification, or for courts to to recognize/enforce EULAs or other claims.
If you want to enjoy the public protections of IP, the public needs to get a copy of source code and meaningful device access, upon whatever definition of un-patched software or device abandonment.
Obviously there's a lot to work out, but philosophically, I like the idea better than introducing new jurisdictions of regulatory power, especially when the relief sought should already be attainable under the public contract made in seeking government enforced IP protection.
> Obviously there's a lot to work out, but philosophically, I like the idea better than introducing new jurisdictions of regulatory power, especially when the relief sought should already be attainable under the public contract made in seeking government enforced IP protection.
Putting your code into escrow does not imply it's going to get audited or that it was developed under somewhat reasonable conditions (aka with code reviewing and testing).
We have seen way, way too much damage, to the tune of billions of dollars and everybody's personal data ending up in hacks "thanks" to shoddy software now, it's a matter of national security to create ad enforce regulations.
Maybe we can create exemptions for small companies and startups, but as soon as you hit 10k users in general population you should have at least basic security processes implemented.
Several years back, I did an internship at Western Digital. I was a software intern on a hardware team in testing working on a project that no one on the team was capable of doing. It quickly became obvious it was more appropriate for a contractor to build than an intern, and was even told as much, but they went with the intern route because it "required fewer signatures".
It was glaringly obvious that software was not part of the company's core competency. Worse, was that software was treated as a nuisance and afterthought to the hardware. No idea how today's Western Digital compares, but I generally steer clear of the company's products that rely on any non-trivial software.
I think part of the problem is that the industry doesn't seem to value embedded software engineers. The work embedded software folks do is just as complicated as that of a full-stack developer working for a SaaS company, but the salaries aren't comparable.
It doesn't help things that the skill sets are very transferrable. It's tough to find somebody willing to forego 20-30% of salary just because they enjoy embedded - after a while, people get fed up and move into better paid SE roles. So, embedded software departments are often short-handed. A former employer of mine lost a senior firmware engineer almost three years ago. As far as I know, they still haven't filled the position.
You'd likely be shocked/scared at the amount of terrible code which is out there in the wild running at any time in large companies. Mostly it is outsourced to the cheapest possible vendor, many times who have barely a grasp of what they're doing, and for sure don't understand or think about best security practices.
> Abdine has come up with a plausible theory—that one hacker first exploited CVE-2018-18472 and a rival hacker later exploited the other vulnerability in an attempt to wrest control of those already compromised devices.
Excluding straight vandalism, I can't really come up with another reason for the reported sequence of events. Presumably the first attacker wanted to build a botnet (which is actually something they can draw profit from), and a competitor wanted to prevent them from doing that.
Otherwise — again, excluding straight vandalism — what is the benefit of wiping the devices? Having your preexisting botnet target/scan and exploit these devices isn't free. What else could they have been trying to gain?
Watching the world burn. There are plenty of examples of worms/viruses that bring no benefit to the creator. I know you said "excluding", but it's popular.
Alternatively, some misguided "white knight" idea. Maybe the factory reset turns off the "open to the internet" setting.
Realistically speaking, you are probably going to be able to hide ~$100-$250k of put earnings, especially if you have a trading history and it's not the only thing you trade.
Ok, buy the same number of puts and calls, so your exposure is to volatility (vega). This way, it can move in any direction and you'd benefit, and it's very unlikely a big scary hacking event (covered by the financial press) wouldn't increase volatility of a stock.
Yup. I learned long ago that having an insider's perspective doesn't necessarily help me predict where the market will move.
An expert's perspective can certainly be helpful, but if market prices are set by non-experts (or, experts in other fields) then it may just lead to consistently wrong answers per the tenets of keynesian economics.
I don’t doubt your options strategy, but this didn’t move the market for WD at all because it’s ultimately small time news compared to everything else happening.
What I don't get is why are people directly connecting these devices to the internet?
The logs in the article show these devices being accessed from the internet.
There have been many people in this forum mentioning how their data is gone, and I'm doubting most of the people here are directly connecting their devices to the internet .. which makes me feel like there is something more going on.
> What I don't get is why are people directly connecting these devices to the internet?
Because they want to access their data from anywhere or at least like the idea of doing that and it's under their control, not the Google or Microsoft cloud.
They don't trust or can't afford the monthly cost of _Drive cloud solutions so go with the home based solution. They still want the web access for pulling up photos for grandma or something.
WD has (had?) credibility in non tech circles so these would sell well.
first HN article had a bunch of people saying there were devices behind a NAT with no port forwarding that had the issue, this doesn't describe what happened there (if that actually happened)
The developer probably commented out the authentication begrudgingly because he was requested to do so.
If a user forgets their password or buys a used drive then they won’t know the password. It’s common in the hardware industry to be able to factory reset a device somehow.
Probably common, but connecting that function to the web (via PHP in this case) is pretty stupid.
I would think it would run a firmware function to do the resetting, and if not that, then some sort of sell script that is not callable by their web interface.
Due to all this stupidness, my weekend is going to be consumed by trying to find out if my Synology has something stupid in it (assuming I can even figure that out).
So my trust in "personal" network storage devices has been shattered. Hopefully Synology is not as dumb.
Just set up an old computer to be your nas and call it a day. Would be much quicker, and you can be much more confident it does only what you want it to do
My son has my old computer for playing fortnight. :)
So I'm reading up on TrueNAS to see if that's the way for me to go.
Frankly, I love my Synology, but it at EOL (can't do the new version of DSM) but my needs are pretty simple, hence either straight Linux or TrueNAS seem to be my best options.
I tried to start implementing separate lans/vlans at home for trusted and untrusted devises. But quickly realized I don't really trust any of it, save my personal laptop and a few of the servers I run.
It's pretty much devolved to users instead of devices:
1) devices only I have write access to
2) devices others have access to
3) iot (which are basically users I've never met)
At least I can segregate me running a port scan from my laptop, to a family members phone running a portscan from some spyware game they downloaded.
I have a good idea how much I can trust my own devices, even if my phone's baseband OS is sending an unstoppable stream of location data and super cookies.
But this NAS/cloud connected storage thing is a bit of a oddball, since you're supposed to trust it with your data, but can't trust it with unfettered network access.
Why would someone comment out authentication for reset? I mean, what possible reason is there for doing so? It doesn't make security any better and it's not something which impacts day-to-day performance in any way.
The most infuriating answer would be maybe they were testing the restore function, and was tired of entering the test username and password over and over again. And then the "I'll just comment it out for my tests" got commited, and built, and deployed.
If a user forgets their password, they still need a way to factory reset so as not to brick the device. Of course, this should involve, say pressing and holding physical button on the device. Just commenting out the password check was probably a lot easier.
Guessing this is right. While neither would be perfect, they could have at least checked for "request coming from the same local subnet" or "enter MAC address as password", or similar.
Was likely done in development by a developer that was sick of seeing the same password prompt 50 times a day, and who later forgot to un-comment it. There's absolutely no way this should have made it past code review.
Ouuf, I was wondering what happened to all my data on my old My Book live - I'm okay with my own incompetence or network security, however I'm not okay with WD's incompetence
Just curious, did you have remote (WAN) access set up?
I have one of these at my parents house, I had them unplug it, once I read this, but I was always wary of turning on remote access, as in it would only be accessible from the LAN, I haven't had a chance to go back in and check if it was hit, but I'd like to think that without remote access turned on it wasn't vulnerable.
that's pretty simple. tar and encrypt all their data. put a DO_YOU_WANT_IT_BACK.TXT file in the root next to it and in there provide instructions to pay the ransom.
I would've thought that destroying your users' data in vast amounts would be bad for the company. Surely this would shatter user trust? Who would buy something like this from Western Digital in the future?
And yet, their stock price seems unaffected. It was slightly up, though just in the way it randomly fluctuates, on the day of the announcement.
It's a defect in an old product that they don't sell or even support anymore. They are still selling hard drives by the millions to server and storage OEMs. Consumers mostly are not even buying spinning drives anymore. It's all Flash or SSD.
> As the following script shows, however, a Western Digital developer created five lines of code to password-protect the reset command. For unknown reasons, the authentication check was cancelled, or in developer parlance, was commented out as indicated by the double / character at the beginning of each line.
As far as I can tell, WD's response is "too bad so sad you should have bought a newer product", so I don't think they offer affected people any sort of recovery gratis.
(I suspect this will bite them in the ass in the court of public opinion, but we'll see.)
Not sure what "factory reset" means, likely just deleting the MBR or something like that, the data is likely recoverable using consumer data recovery tools.
Yes, assuming the best case scenario it should be easy for us on HN. But for 99% of those customer they likely think all of their Data are gone.
( It will be worst if they start writing more data on the empty drive ... )
And I dont seems to read any site that offer basic advice as disconnection, power down and dont touch it for now. No knowing what to do is casing panic.
It's not that it's secured with PHP, it's that it's not secured properly. Given the scale of this screw-up, there's nothing tying it to PHP, and it could've been done in the HN language/platform du jour.
Maybe it's not the language, maybe it's all correlation and no causation, but software that happens to have been written in PHP does not have a stellar security track record. My logs don't fill up with lines like:
HTTP POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
Yep. We are talking about cloud services revolution but the sad fact is that I can't trust these incompetents with my shopping list and need to maintain all my data and backups myself.
The commented out function - if a verbatim copy of deployed code was in fact presented - seems to not include function name and opening brace, but does comment out the function proper and closing brace, which, and it's been a while since I did anything with PHP, would mean a syntax error on run, right?
The closing brace there corresponds to the if. The rest of the body of the function, and its closing brace, are outside the snippet included in the article.
The commented-out closing brace is for the if statement, not the whole function. The rest of the function was snipped, you can see the whole thing here: https://paste.debian.net/plainh/7630c424
It's pretty clear that there are no coding standards, sparse comments (literally just 1), lots of mixed tab/spacing, misspelled names, etc.
Furthermore, the fact that this got into production shows that either the code wasn't even reviewed prior to release and/or it wasn't reviewed carefully.
I think this goes to a much larger issue of devices in this so-called IoT world we live in now. So many of these devices are built by "hardware-first" companies, who oftentimes put very little budget, time or emphasis on the software side of things. As people's daily lives depend more and more on IoT devices, I think this should be more and more of a concern: it doesn't matter how good the hardware is and/or how cost efficient a company's hardware production capability is if you don't value the quality in the software that runs said hardware.
(Full Disclosure: I'm a full-time independent software developer who has worked on many IoT projects, working directly with hardware and device manufacturers)