14 DAY TRIAL // When it comes to privacy, computer users across the world are really willing to invest more money to keep their files away from prying eyes, and for many people, self-encrypting hard disks are the first option.
And it's no wonder why: they are really affordable and they promise to protect all the data stored on them, so they seem to provide very good quality for the money.
But that high-level encryption that they claim to offer is not as advanced as some might be tempted to believe.
Security researchers who have looked into this self-encrypting method have posted a paper on the Full Disclosure email list to provide us with an in-depth look at a problem that affects this type of HDDs in general, and the ones manufactured by Western Digital in particular. As we told you earlier today, malicious firmware updates could compromise HDD encryption, but the issue doesn't stop here.
Before stepping into more details, there's something that really needs to be taken into account: the Full Disclosure email list is the place where security researchers post their findings after contacting the parent company and not receiving an answer. In other words, Western Digital has been informed of the security problems found by these experts, but the company refused to cooperate and look into the matter. So they decided to go public with everything.
Passwords stored in plain text locally
According to Motherboard, who spoke with Matthew Green, assistant professor at Johns Hopkins University, one of the main issues, which is also impacting WD's My Passport drives, is that encryption keys are generated using the C rand() function, which means that it does nothing more than to choose a random number, which is then used to encrypt the drive.
Moreover, the current time (in 32-bit timestamp format) is used as a seeding parameter when generating the key, which according to Green makes it easy to crack in a short time even with a single PC, so no super computer is needed.
As if it wasn't easy enough to crack such a password, it doesn't stop here. Passwords are actually stored on the hard drive in plain text.
WD: We're looking into the matter
As far as Western Digital is concerned, the issue is not as worrying as we tend to believe. The company said in a statement for the aforementioned source that while they have already talked to security researchers regarding the encryption used on some HDD models, they are still “evaluating the observations.”
“We highly value and encourage this kind of responsible community engagement because it ultimately benefits our customers by making our products better. We encourage all security researchers to responsibly report potential security vulnerabilities or concerns to WD Customer Service and Support,” a spokesperson said.
The bottom line? Don't trust a self-encrypting HDD and make sure you don't copy critical data on such a drive. Any password can be cracked, but in Western Digital's case, it all becomes painfully easy.