Pixel Envy

Written by Nick Heer.

Western Digital Removed a Password Requirement for Resetting My Book Live Hard Drives, Allowing Them to Be Wiped

Dan Goodin, Ars Technica:

Last week’s mass-wiping of Western Digital My Book Live storage devices involved the exploitation of not just one vulnerability but a second critical security bug that allowed hackers to remotely perform a factory reset without a password, an investigation shows.

The vulnerability is remarkable because it made it trivial to wipe what is likely petabytes of user data. More notable still was that, according to the vulnerable code itself, a Western Digital developer actively removed code that required a valid user password before allowing factory resets to proceed.

I remember when Western Digital was the gold standard in hard drives. The My Book line of external drives, in particular, offered a clean look that fit onto a desk, FireWire connectivity for speed, and long-term reliability. The five-line code snippet posted by Goodin has largely erased my confidence in the company. This is an extraordinary breach of trust.