Western Digital Self-Encrypting HDDs Not Really Encrypted, Store Passwords in Plain Text

[vissha]

Self-Encrypting HDDs Not Really Encrypted, Store Passwords in Plain Text

Researchers find encryption systems are really easy to crack

When it comes to privacy, computer users across the world are really willing to invest more money to keep their files away from prying eyes, and for many people, self-encrypting hard disks are the first option.

And it's no wonder why: they are really affordable and they promise to protect all the data stored on them, so they seem to provide very good quality for the money.

But that high-level encryption that they claim to offer is not as advanced as some might be tempted to believe.

Security researchers who have looked into this self-encrypting method have posted a paper on the Full Disclosure email list to provide us with an in-depth look at a problem that affects this type of HDDs in general, and the ones manufactured by Western Digital in particular. As we told you earlier today, malicious firmware updates could compromise HDD encryption, but the issue doesn't stop here.

Before stepping into more details, there's something that really needs to be taken into account: the Full Disclosure email list is the place where security researchers post their findings after contacting the parent company and not receiving an answer. In other words, Western Digital has been informed of the security problems found by these experts, but the company refused to cooperate and look into the matter. So they decided to go public with everything.

Passwords stored in plain text locally

According to Motherboard, who spoke with Matthew Green, assistant professor at Johns Hopkins University, one of the main issues, which is also impacting WD's My Passport drives, is that encryption keys are generated using the C rand() function, which means that it does nothing more than to choose a random number used to encrypt the drive.

The time when the key was created is also attached in 32-bit format, which according to Green makes it easy to crack in a short time even with a single PC, so no super computer is needed.

As if it wasn't easy enough to crack such a password, it doesn't stop here. Passwords are actually stored on the hard drive in plain text.

WD: We're looking into the matter

As far as Western Digital is concerned, the issue is not as worrying as we tend to believe. The company said in a statement for the aforementioned source that while they have already talked to security researchers regarding the encryption used on some HDD models, they are still “evaluating the observations.”

“We highly value and encourage this kind of responsible community engagement because it ultimately benefits our customers by making our products better. We encourage all security researchers to responsibly report potential security vulnerabilities or concerns to WD Customer Service and Support,” a spokesperson said.

The bottom line? Don't trust a self-encrypting HDD and make sure you don't copy critical data on such a drive. Any password can be cracked, but in Western Digital's case, it all becomes painfully easy.

Source

[straycat19]

This is essentially a parallel topic with the one here

And my same comments apply here.

I have said it before and I will say it again, anything made by man can be broken and circumvented by man. Security begins by not letting a device fall into the wrong hands or be accessed by unauthorized users, if you don't have that level of security then you have no security at all. Goes back to the saying that a lock only keeps an honest man honest, because if someone wants to break in a lock will not stop them.