Western Digital's hard drive encryption is useless. Totally useless

The encryption systems used in Western Digital's portable hard drives are pretty pointless, according to new research. It appears anyone getting hold of the vulnerable devices can easily decrypt them.

WD's My Passport boxes automatically encrypt data as it is written to disk and decrypt the data as it is read back to the computer. The devices use 256-bit AES encryption, and can be password-protected: giving the correct password enables the data to be successfully accessed.

Now, a trio of infosec folks – Gunnar Alendal, Christian Kison and "modg" – have tried out six models in the WD My Passport family, and found blunders in the software designs.

For example, on some models, the drive's encryption key can be trivially brute-forced, which is bad news if someone steals the drive: decrypting it is child's play. And the firmware on some devices can be easily altered, allowing an attacker to silently compromise the drive and its file systems.

"We developed several different attacks to recover user data from these password-protected and fully encrypted external hard disks," the trio's paper [PDF] [slides PDF] states.

"In addition to this, other security threats are discovered, such as easy modification of firmware and on-board software that is executed on the user's PC, facilitating evil maid and badUSB attack scenarios, logging user credentials, and spreading of malicious code."

My Passport models using a JMicron JMS538S micro-controller have a pseudorandom number generator that is not cryptographically secure, and merely cycles through a sequence of 255 32-bit values. This generator is used to create the data encryption key, and the drive firmware leaks enough information about the state of the random number generator for this key to be recreated, we're told.

"An attacker can regenerate any DEK [data encryption key] generated from this vulnerable setup with a worst-case complexity of close to 2⁴⁰," the paper states.

"Once the DEK [data encryption key] is recovered, an attacker can read and decrypt any raw disk sector, revealing decrypted user data. Note that this attack does not need, nor reveals, the user password."

Drive models using a JMicron JMS569 controller – which is present in newer My Passport products – can be forcibly unlocked using commercial forensic tools that access the unencrypted system area of the drive, we're told.

Drives using a Symwave 6316 controller store their encryption keys on the disk, encrypted with a known hardcoded AES-256 key stored in the firmware, so recovery of the data is trivial.

It must be stressed that the flaws are in WD's software running on these microcontrollers, rather than the chips themselves.

This paper on WD self-encrypting drives has to be read to be believed. https://t.co/Pjx0bJqtQR ht @jedisct1 pic.twitter.com/uX8IR6Jpqz

— Matthew Green (@matthew_d_green) October 20, 2015

Meanwhile, Western Digital says it is on the case.

"WD has been in a dialogue with independent security researchers relating to their security observations in certain models of our My Passport hard drives," spokeswoman Heather Skinner told The Register in a statement.

"We continue to evaluate the observations. We highly value and encourage this kind of responsible community engagement because it ultimately benefits our customers by making our products better. We encourage all security researchers to responsibly report potential security vulnerabilities or concerns to WD Customer Service and Support at http://support.wdc.com." ®