Western Digital's hard drive encryption is useless

Totally useless

Rookie errors make it child's play to decrypt data

The encryption systems used in Western Digital's portable hard drives are pretty pointless, according to new research. It appears anyone getting hold of the vulnerable devices can easily decrypt them.

WD's My Passport boxes automatically encrypt data as it is written to disk and decrypt the data as it is read back to the computer. The devices use 256-bit AES encryption, and can be password-protected: giving the correct password enables the data to be successfully accessed.

Now, a trio of infosec folks – Gunnar Alendal, Christian Kison and "modg" – have tried out six models in the WD My Passport family, and found blunders in the software designs.

For example, on some models, the drive's encryption key can be trivially brute-forced, which is bad news if someone steals the drive: decrypting it is child's play. And the firmware on some devices can be easily altered, allowing an attacker to silently compromise the drive and its file systems.

"We developed several different attacks to recover user data from these password-protected and fully encrypted external hard disks," the trio's paper [slides PDF] states.

"In addition to this, other security threats are discovered, such as easy modification of firmware and on-board software that is executed on the user's PC, facilitating evil maid and badUSB attack scenarios, logging user credentials, and spreading of malicious code."

My Passport models using a JMicron JMS538S micro-controller have a pseudorandom number generator that is not cryptographically secure, and merely cycles through a sequence of 255 32-bit values. This generator is used to create the data encryption key, and the drive firmware leaks enough information about the state of the random number generator for this key to be recreated, we're told.

"An attacker can regenerate any DEK [data encryption key] generated from this vulnerable setup with a worst-case complexity of close to 240," the paper states.

"Once the DEK [data encryption key] is recovered, an attacker can read and decrypt any raw disk sector, revealing decrypted user data. Note that this attack does not need, nor reveals, the user password."

Drive models using a JMicron JMS569 controller – which is present in newer My Passport products – can be forcibly unlocked using commercial forensic tools that access the unencrypted system area of the drive, we're told.

Drives using a Symwave 6316 controller store their encryption keys on the disk, encrypted with a known hardcoded AES-256 key stored in the firmware, so recovery of the data is trivial.

It must be stressed that the flaws are in WD's software running on these microcontrollers, rather than the chips themselves.

Source:
Post Comment

Comments (8)

I would expect WD is scrambling today so that next month's products have improved encryptions. rolling on the floor laughing
Hello Ken,

Concerning. I just heard a story about credit card theft. It can be easily stopped if people are assigned pin numbers. Debit cards have these, and from what I understand, there is not a lot of theft with debit cards.

Now, I heard on the news, that they are coming out with "chipped" credit cards. They say, consumers are getting tired of always filing for new credit cards. It was reported that one consumer had to file for a new credit card within an 18 month period. What a time consuming hassle they claim.

Continuing with the initial story I heard about with credit card theft. It has been written years ago about credit cards becoming "chipped."

All this "fear" of people being unsafe is leading up to personal implanted chips. With the acclimation to chips and people being so "fearful" of their security, it is predicted people will be lining up to be implanted with the chip in their hand.

Perhaps....this ties into your story you share.

After all, would should be scared? dunno sigh
*had to file for 3 new credit cards within an 18 month period.
and for correction #2....grin


*After all, we should be scared?
I think the implanted chip is dumb. I know some of the Hollywood folk have had it done but their convenience is just a theft waiting to happen. The concept is you wave your wrist at a scanner and it senses and reads your implant, then charges your credit account. The obvious downside is anyone can have a scanner and you may not notice it while walking by.

A second downside is if it has steel in it, we can probably make it red hot with microwaves of a frequency/power level the user may not even notice until suddenly their arm starts smoking and they drop to the floor screaming.

I have some WD Passport devices myself. I never turned the encryption on in them because they aren't holding anything sensitive, but I am sure, since encrypt is a built in option, that is not true of everyone. Now if they read this they at least know they weren't as secure as they thought.
Ken,

Interesting about the burning of the hand.

The worst part of the story....so, it has been told. (Must say, I am just repeating what I heard). Anyway, it is said that this implant is suppose to electrocute and do away with the person holding it.

...again...dunno


I may add, the young women who wrote the book claimed to have some sort of access to secret knowledge. She wrote in her book about fearing for her life for writing the book. She died in her 30's.
Like I wrote, there are a few Hollywood types using it, some Top 10 singers too. Several stores in Beverly Hills have the scanners. There is no electricity in the credit card implants, so it would be hard to electrocute someone with one. laugh
clever man Ken all way above my headroll eyes I am still with old debit card and pin numbergrin scold nobody gets my numberlaugh
I just dont like this new thing waving debit card over machine and bobs your uncle small change bill paid.wow
What if someone pickpocketed my card-----he would have to get through many barriersblushing wink he could spend all day getting coffee here and there.moping before I found outhelp
Post Comment - Let others know what you think about this Blog.