WD HDDs allow authentication and encryption bypassing

Oct 21, 2015 10:50 GMT  ·  By

A team of three security researchers have broken down the myths around Western Digital's famous My Passport hard drives, lauded to provide on-the-fly encryption for all stored data.

For a couple of years, people who wanted privacy and security often chose Western Digital's My Passport portable hard drive. This HDD is not only quite small, good-looking, and very feature-packed, but also provides built-in security features for both its software and hardware parts.

Some of its two most prominent features were the fact that users could protect the hard drive using a password, and that all data written to its disks was encrypted in real time.

Hard drive encryption could be cracked using brute force attacks

According to recent research that dug deep into the inner workings of various My Passport models, the hard drives seem to be affected by a series of security flaws that allow attackers to bypass both the built-in encryption and password-based authentication system.

As the researchers explain, some of the models from the six they analyzed easily give up under the pressure of a simple brute-force attack, letting attackers break their encryption.

Additionally, the password authentication could also be bypassed as easily, enabling any attacker to install fully functional backdoors on infected devices.

Malicious firmware updates were possible as well

To make things worse, all WD models analyzed allowed attackers to take over the firmware update mechanism via "evil maid" and "badUSB" attacks, and install their own malicious code instead.

"The weakest hardware model in terms of security is the INIC-3 608 bridge," say the researchers. "The chip does not support hardware accelerated AES encryption. [...] One single command sent to the device will reveal the KEK [Key-Encrypting Key], even if the disk is in a locked state."

A 36-page paper (PDF) about the researchers' findings and the various security holes detailed for each hard drive family is available on the International Association for Cryptologic Research website.

Update: Western Digital says it's already looking into some security claims, but according to researchers, the company was already aware of the issues at the time of publishing the paper.

Western Digital MyPassport model
Western Digital MyPassport model

Photo Gallery (2 Images)

Western Digital MyPassport hard drives
Western Digital MyPassport model
Open gallery