WD Self-Encrypting Hard Drives Have Data-Exposing Flaws

Popular Western Digital external hard drives that have an added feature of hardware-based encryption have been discovered to have critical security flaws that allow snoopers and attackers to gain access and recover data without the hard drive owner’s password.

A team of security engineers have discovered that the self-encryption feature implemented in Western Digital My Passport and My Book hard drives are flawed and vulnerable to exploits by attackers. The discovery was made in a research paper available here.

The Hardware Exploits

The microchips used for the encryption in both models of the hard drives contain design flaws and backdoor-esque features that could potentially allow a simple brute-force password attack to gain access to the data. Similarly, even the decryption of the data can be achieved, without requiring the password.

Furthermore, the encryption performed by the chip was discovered by the researchers to bridge the USB and SATA interfaces. Additionally, encryption achieved by HDD’s SATA controller is observed with the USB bridge of the device only handling the password validation, as reported by Computer World.

The two Western Digital drives contained six different USB bridges from various manufacturers including Symwave, PLX Technology, JMicron Technology and Initio. As it so happens, despite the differences between the various chips used in the production of the hard drives, all security issues – varied as they were – were all serious, according to the researchers.

A Firmware Update Only Adds to It

The firmware update process on the hard drives do not use the required cryptographic signature verification either, leaving the device open to a hijack. Attackers could potentially implant malware within the firmware and disguise it as an update to completely infect the host computers to which the hard drives are connected to. Alternatively, malware developers could also add cryptographic backdoors to steal data without discovery.

Western Digital have been contacted by the security researchers and are currently looking into the observations made over the two popular external drives.

Responding to the independent researchers by email, a representative for Western Digital said:

“We highly value and encourage this kind of responsible community engagement because it ultimately benefits our customers by making our products better.”