Western Digital, a company that primarily sells hard drives and SSDs and has been around in one form or another for more than half a century, has no such excuse. They knew the market they were in and the use case this was intended for. The decision to not support long-term security updates on a device that was intended for long-term storage raises some serious questions about the way that the company approaches hardware updates.
Yes, a NAS with decade-old guts is not going to be as useful a decade after the fact. But given that this is a piece of hardware that is put into homes or networks and intended to “just work,” there appears to be a major disconnect between Western Digital, the manufacturer, and the consumers who likely intend to use products like these for a long period.
The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012. These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle. We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.
(I imagine the people affected by this exploit did not see this message.)
Perhaps companies should not have to support old devices forever, but this to me very much seems to be a case of WD pulling the plug on supporting a device well before many of its users had actually gotten a useful lifecycle from the device.
What the company is doing is clearly not working—Sonos, the subject of my article from last year, supported its smart devices (targeted to a similar serious-consumer market as the WD My Book Live devices) for more than a decade, well beyond the point Western Digital cut off security updates.
And because of that, a lot of people will probably never buy a Western Digital product ever again. Heckuva job.