Self-encrypting Western Digital drives have serious security flaws and backdoors
Security researchers have discovered that a number of Western Digital drives -- including many My Passport and My Book devices -- are blighted with serious vulnerabilities that leave encrypted data stored on them accessible by attackers. The self-encrypting drives were found to be so insecure that it was possible to recover data without the need for the relevant password.
A paper published at the end of September provides details of how some Western Digital drives are susceptible to brute force type attacks, and there are even some models which store the decryption key on the drive. Western Digital would almost certainly rather people were talking about its purchase of SanDisk, but people are more likely to be interested in the company's seemingly terrible approach to security.
The research paper has now been published to the Full Disclosure mailing list after Western Digital had been notified of the findings. There is a lengthy list of complaints about the security of the drives, including the fact that a random number generator used to create encryption keys is not very random at all. The paper explains that "the RNG generator of the JMS538S has been shown to be predictable, as it returns 255 different bytes in a specific order".
The method of seeding used to protect the key is also laughably weak. A 32-bit value derived from the time of key creation is used, greatly reducing the amount of time and processing power required to execute a successful brute force attack.
But the problems do not end there The researchers also found serious security problems with Western Digital firmware upgrade process:
Another attack vector on every WD we analyzed, is the update mechanism of WD. The firmware update of the bridges and the emulated CD-ROM is done by undocumented vendor-specific SCSI commands, that is executable post-authentication. The firmware and virtual CD are not digital signed or cryptographically secured from tampering and modification.
Western Digital is yet to comment on the findings, or given indication of whether patches will be issued.
Photo credit: Dario Vuksanovic / Shutterstock