'No Excuses' As Western Digital Leaves Gaping Crypto Flaws In Hard Drives

[Sabre]

Forbes

Some serious cryptographers have bloodied foreheads today. They’ve been facepalming rather vociferously after some rudimentary vulnerabilities were uncovered in Western Digital hard drive encryption, leaving users with a false sense of security and open to data theft. What’s worse, despite working with the researchers to learn more about the weaknesses, Westen Digital told FORBES it has only evaluated the research and did not say whether it had any plans to issue fixes.

Researchers Gunnar Alendal, Christian Kisson and ‘modg’ claimed, in a paper published last month, to have uncovered various issues in Western Digital’s My Passport series of pre-encrypted hard drives. One of the more critical vulnerabilities was the use of easily-guessable data “seeds” used to create the DEK, the data encryption key formed by an algorithm combining a mix of numbers, themselves produced by pseudorandom number generators (PRNGs). Those keys are all that stand between an attacker and the data sitting on the device.

Mac Western Digital hard drive
The Windows and Apple Mac-compatible versions of Western Digital’s My Passport devices have some critical vulnerabilities and backdoors that leave user data open to hackers.

To create a DEK, after the hard drive is wiped and restarted, Western Digital devices use certain data points from the host system (either Windows or Mac OS X), which are combined as the source of “entropy”, roughly defined as the randomness collected by an operating system.

This process would produce 32 bytes, which should have been long enough to make cracking attempts difficult. But it turned out those 32 bytes were just eight repetitions of a four-byte value. And the rand() pseudorandom number generating command was used though it’s known to be flawed. Whilst it was “seeded” with time data on the system, that’s also known to be cryptographically weak. Professor Alan Woodward, a cryptography expert from the University of Surrey, said using time in a security protocol was “something a novice might do but you wouldn’t expect seasoned security engineers to do it”.

The researchers noted this value would be incredibly simple to guess: “The conclusion is that the host computer only provides, at best, a 32-bit unknown value to be used as key material for the DEK generation scheme. This is easily bruteforce-able.” With that value, it would be far easier for the hackers to guess the right key and get at data on the hard drive.

It was also discovered the key used to protect the DEK was encrypted with a key stored in the firmware. That meant it could be easily extracted from the device for bruteforcing attempts. The firmware, on some devices, could also easily be rewritten to grab the user’s password, whilst other backdoors were uncovered. For a full technical description and the specific models affected, read the paper linked here.

Though the researchers declined to go into more detail on possible attack vectors, Alendal said over email Western Digital had been informed and there had been “good contact” between the two parties. But he was not aware of any fixes. “I’m currently not aware of any fixes, but I’m not actively checking for any.” A Western Digital spokesperson simply said: “We continue to evaluate the observations.”

Ultimately, it’s apparent anyone who can grab another’s Western Digital device has a good chance of getting at the data inside. Woodward said there was simply “no excuse” for the myriad oversights.

“They use functions for generating randomness that have been known for yonks to be inappropriate,” he told FORBES.

“What is worrying is that people are being encouraged to secure data on hard drives, especially removables, and, until today, I would quite happily have trusted that this manufacturer had done the necessary design work to keep my data secure. Personally, I would be very wary of assuming any data stored using these disks is now secure… Users, especially domestic users, have a right to assume it does what says on the tin.”

lol, that isn't lazy code, that's stupid.

[complacent]

yikes.

[ElZorro]

Speaking of, anyone try https://veracrypt.codeplex.com/ yet?

[complacent]

at this point, i'm hesitant to experiment with any crypto that hasn't been publicly or professionally vetted. i'd need to do some research first.

[Sabre]

Nope, I haven't tried that! We've ripped out PGP Disk encryption and replaced it with BitLocker across the board now though.

[complacent]

bitlocker and filevault at work here as well.

[ElZorro]

I'd love to use those, but they didn't include a TPM in my laptop.