Customers who choose encrypted Western Digital hard drives sometimes ask themselves if their devices actually stand up to security threats.
That is why experts act as whistleblowers when the safety of our data is at risk. A team of researchers established that the American brand of "self-encrypting" hard drives presents major security liabilities, transforming malicious access to sensible data into child's play.
According to this paper [PDF], Western Digital (WD) manufactured the external HDD line "My Passport" with inherent safety issues. At least one model from the line is ranking high in user's preferences and gained about 2,000 reviews on Amazon.
Full Disclosure email list published the details of the study.
"Backdoors on some of these devices, resulting in decrypted user data, without the knowledge of any user credentials," were discovered, alongside a series of other vulnerabilities.
Most users rely on the password protection that comes with My Passport for data safety, assuming that only by having the key a perpetrator can access their files.
Assistant professor at Johns Hopkins University, Matthew Green, begs to differ.
"The security of the drives is actually very weak," he points out.
The main problem lies within the encryption keys generator mechanism. Green explains that WD does the elementary mistake of using the C rand() function, famed for being unreliable in cryptography. This is because it is way too simple to offer a strong protection key, according to Green.
The fact that the key was developed using a 32-bit format adds gas to the fire.
The assistant professor at Hopkins notices that a well-secured device would take "billions of years" of brute-force to crack. However, due to the poor self-encryption of WD's hard drives, the method can yield results in a reasonable short amount of time.
Some of the unsafe devices even store the password on the hard drive. This makes the digital breaking and entering even simpler, as hackers don't need the password to gain access to the device.
The Full Disclosure post reads that authors of the security paper briefed WD about the problem, yet the company is keeping quiet about a patch that could solve it.
The team underlines that the security issues are connected to the software that runs in WD's microcontrollers and not to the chips themselves.
"[WD] has been in a dialogue with independent security researchers relating to their security observations in certain models of our My Passport hard drives," a spokesperson from Western Digital commented. The spokesperson further added that the HDD manufacturer appreciates feedback and encourages users to submit their observations, ensuring a safer data ecosystem for all.
"Until the flaws are verifiably fixed, these devices should be viewed as effectively unencrypted," Green concluded.