A team of researchers has decided to check whether the encryption offered by Western Digital’s My Passport external self-encrypting hard drives is effective and unbreakable as it should be. Unfortunately, the results of their research revealed that the devices are riddled with vulnerabilities, which can be exploited by attackers to access the data stored on them.
Depending on the model, the drives connect to host computers using USB 2.0, USB 3.0, Thunderbolt or Firewire. The are sold pre-formatted, pre-encrypted, and work with free software from the manufacturer. The researchers tested different models from the My Passport series, sporting six different hardware models.
“We developed several different attacks to recover user data from these password protected and fully encrypted external hard disks,” they noted in their paper. “In addition to this, other security threats are discovered, such as easy modification of firmware and on-board software that is executed on the users PC, facilitating evil maid and badUSB attack scenarios, logging user credentials and spreading of malicious code.”
The Key Encryption Key (KEK), which is a hash derived from the user password and is needed to unlock the drives and to retrieve the Data Encryption Key (DEK), should be difficult for an attacker to crack but, due to security weaknesses in the firmware, off-device password brute-force attacks are possible.
Weak key material, predictable RNG generators, easily modifiable firmware, backdoors for instant KEK and DEK decryption were all found in the various versions of the devices, making the promise offered by the manufacturer – that of keeping the users’ data secure – effectively empty.
These findings also raise another fundamental question: How can we trust this and other manufacturers’ claims when it comes to encryption? Also, this example shows why we need security researchers to test out those claims, and why we should support the practice, and not try to hinder it.
Western Digital has commented the findings by saying that they have been “in a dialogue” with the researchers, and that they “continue to evaluate the observations.”
“We highly value and encourage this kind of responsible community engagement because it ultimately benefits our customers by making our products better. We encourage all security researchers to responsibly report potential security vulnerabilities or concerns to WD Customer Service and Support,” WD spokeswoman Heather Skinner told The Register.