Western Digital, a manufacturer of self-encrypting external hard drives, is facing a crisis in reputation. Academic researchers have uncovered a critical security flaw in the company’s self-encrypting external hard drives.
The consumer-grade My Passport hard drives have issues with its encryption capabilities as a result of the vulnerability. This problem not only puts the company’s name in jeopardy, but also the data of customers in a certain risk of exposure to attackers.
Based on the researchers’ findings after studying at least six hardware models built by Western Digital, it was found that the flaws allow hackers to conduct brute-force password guessing, find critical keys that are saved in the drives in order to evade security checks and supplant the firmware in order to establish a backdoor into the drives.
Encryption keys have also been exposed to attacks, meaning hackers will be able to access to hard drives without having to go through the burden of the authentication process. Ever since the critical device vulnerability has been discovered, Western Digital has failed to release a patch for the problem that involves hard drives produced in the years beginning 2007 through 2013.
The security flaw affects not only the hard drives of Western Digital, but it also involves the USB devices built for the drives. In normal cases, the hard drives allows for the encryption and decryption processes with the USB bridge linking the host to the drive’s SATA interface, the access to which is granted only with the correct password.
But the new models of the drive are now facilitating the encryption and decryption processes via the SATA controller. A key is then automatically created by the user’s password, and that key works to secure another key that is used to protect the data stored in the drive. All these keys are factory-set, meaning they use a random string of numbers.
Security experts consider this an ill-advised practice because it makes the drive less insecure since the protection is being lowered in this case to 32 bits from 256 bits of encryption. So that the attackers have easier ways and means to crack the drive, the keys are seeded only with Western Digital’s time stamp.
But even before the drive requires a password from anyone who would attempt to access the drive, the device is already rendered insecure because the key generated by the user’s password has been saved in the drive. The data encryption key is also at risk due to the vulnerable RAM.