Western Digital PassPort, My Book Hard Drives Littered With Serious Crypto Flaws, Expose User Data

Considering the fact that Western Digital just made a mammoth acquisition, I'm sure it would have preferred that bad news surrounding some of its products could have come out at any other time. Nonetheless, anyone that purchased a My Passport external hard drive between 2007 and 2013 and has been taking advantage of its built-in security features will want to take note.

According to research conducted by Gunnar Alendal, Christian Kison, and modg, we've learned that all My Passport drives manufactured between those years have a gaping flaw that renders their built-in encryption pretty much useless. It doesn't matter if the drive channels data through USB 2.0, USB 3.0, FireWire or Thunderbolt - they're all vulnerable.

WD MyPassport Ultra

The researchers found that because of how the security is implemented, it could be possible for users with a mere laptop to be able to breach the security. This is because the keys are easily accessible, due to the fact that the USB bridge, rather than the SATA controller itself, is what's handling the encryption. It's noted that late model My Passport drives have moved encryption control to the SATA controller, so they're deemed safe.

It's not just that the keys are easily exposed, but they're also weak. While the encryption might be 256-bit, the keys themselves have been found to be 32-bit, generated by a simple algorithm aided by the system clock. The researchers note, "This means they are trillions and trillions of times easier to crack".

Up to this point, it's noted that Western Digital hasn't released firmware updates that could get rid of this issue, and given that some of these models are quite outdated, I'd imagine that an update isn't going to come. If there's an upside, we have the feeling that Western Digital will never use such an insecure method again. That, however, doesn't help those out who thought they were using a truly secure device all this time.


Tags:  security, WD, nasdaq: wdc
Via:  threatpost
Show comments blog comments powered by Disqus