Western Digital Western Digital My Passport Hard Drives Come with a Slew of Security Holes

[vissha]

Western Digital My Passport Hard Drives Come with a Slew of Security Holes

WD HDDs allow authentication and encryption bypassing

A team of three security researchers have broken down the myths around Western Digital's famous My Passport hard drives, lauded to provide on-the-fly encryption for all stored data.

For a couple of years, people who wanted privacy and security often chose Western Digital's My Passport portable hard drive. This HDD is not only quite small, good-looking, and very feature-packed, but also provides built-in security features for both its software and hardware parts.

Some of its two most prominent features were the fact that users could protect the hard drive using a password, and that all data written to its disks was encrypted in real time.

Hard drive encryption could be cracked using brute force attacks

According to recent research that dug deep into the inner workings of various My Passport models, the hard drives seem to be affected by a series of security flaws that allow attackers to bypass both the built-in encryption and password-based authentication system.

As the researchers explain, some of the models from the six they analyzed easily give up under the pressure of a simple brute-force attack, letting attackers break their encryption.

Additionally, the password authentication could also be bypassed as easily, enabling any attacker to install fully functional backdoors on infected devices.

Malicious firmware updates were possible as well

To make things worse, all WD models analyzed allowed attackers to take over the firmware update mechanism via "evil maid" and "badUSB" attacks, and install their own malicious code instead.

"The weakest hardware model in terms of security is the INIC-3 608 bridge," say the researchers. "The chip does not support hardware accelerated AES encryption. [...] One single command sent to the device will reveal the KEK [Key-Encrypting Key], even if the disk is in a locked state."

A 36-page paper (PDF) about the researchers' findings and the various security holes detailed for each hard drive family is available on the International Association for Cryptologic Research website.

Source

[straycat19]

I have said it before and I will say it again, anything made by man can be broken and circumvented by man. Security begins by not letting a device fall into the wrong hands or be accessed by unauthorized users, if you don't have that level of security then you have no security at all. Goes back to the saying that a lock only keeps an honest man honest, because if someone wants to break in a lock will not stop them.