Western Digital Hard Drives Feature Multiple Security Flaws: Report

Advertisement
By Manish Singh | Updated: 21 October 2015 11:46 IST

According to researchers, several vulnerabilities have been found in the built-in encryption offered with Western Digital hard drives. The vulnerabilities, if exploited, can give an attacker access to the data on a password-protected hard drive. The hard drive manufacturer has acknowledged the existence of flaws in its hardware-based encryption but did not reveal if it was working on a fix.

Security researchers Gunnar Alendal, Christian Kison, and one who goes by the alias "modg," investigated how the self-encryption feature is implemented in several popular Western Digital My Passport and My Book models. The researchers presented a paper last month titled "got HW crypto? On the (in)security of a Self-Encrypting Drive series" reporting vulnerabilities in the abovementioned hard drive models. They found that the hard drive models depending on the type of microchip they used for the encryption had various types of design flaws.

Advertisement

The researchers said most hard drive brands come with a built-in capability to encrypt all stored data. The hard drive uses strings to create DEK, the data encryption key. In theory, it produces 32 bytes, which should still be hard enough to decrypt. But as security researchers noted, the algorithm which the hard drive uses encapsulates just repetitions of a four-byte value.

The researchers also found flaws in the USB bridge chips used in WD drives. If exploited, the flaw allowed an attacker to gain backdoor access to the encrypted data. In some cases, furthermore, the researchers found that the chip stored the key in plain text in its EEPROM, making it easy to recover it.

Advertisement

"We developed several different attacks to recover user data from these password-protected and fully encrypted external hard disks," the researchers noted. "In addition to this, other security threats are discovered, such as easy modification of firmware and on-board software that is executed on the user's PC, facilitating evil maid and badUSB attack scenarios, logging user credentials, and spreading of malicious code."

Newer My Passport hard drives use JMicron JMS569 that can be forcibly unlocked using forensic tools able to access unencrypted portions of the drive. These forensic tools are commercially available.

Advertisement

The researchers also noted that the firmware update process on the tested hard drives did not use cryptographic signature verification which makes it prone to attacks. In theory, one can riddle the firmware with malware and infect host computers and even add cryptographic backdoors in them.

Security researchers said that they have informed the hard drive company about the vulnerabilities, and that they are not aware if the company is working on a fix. A Western Digital representative told Forbes, that the company continues "to evaluate the observations."

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Redmi K90 Ultra With a Snapdragon 8 Elite Chip and a Cooling Fan
  2. Oppo Reno 16 to Launch With This Snapdragon Chipset in India
  3. OnePlus Announces Deals on These Products for Upcoming Prime Day Sale
  4. Samsung Galaxy S25 Ultra Available at 'Lowest Price of the Year' on Amazon
  5. Here's How Much the Samsung Galaxy A27 5G Costs in India
  6. iQOO 16 Series May Launch Without an Ultra Model Due to This Reason
  7. OnePlus N6 With an 8,000mAh Battery Arrives in India at This Price
  1. Google Announces Nano Banana 2 Lite-Powered Short Video Overviews for NotebookLM
  2. Assassin's Creed Black Flag Resynced Console Specs, PS5 Pro Enhancements Confirmed
  3. Redmi K90 Ultra Launched With Snapdragon 8 Elite Chipset, Cooling Fan and 8,550mAh Battery: Price, Specifications
  4. Apple May Be Required to Allow External App Payments, Third-Party NFC Access in UK: Report
  5. Samsung Galaxy Ring 2 Reportedly in Development, Could Arrive With iPhone Support
  6. Apple's iOS 26.5.2 Release With Security Fixes Was Accelerated Due to Advances in AI Hacking Tools: Report
  7. US SEC vs NanoBit: Regulator Wins $5.4 Million Judgment in NanoBit Fraud Case
  8. Samsung Galaxy Z Fold 8 Series, Galaxy Z Flip 8 Case Leak Hints at Design of Samsung's Upcoming Foldables
  9. Oppo Reno 16 Confirmed to Launch With a Snapdragon Chip in India, Unlike Its Chinese Counterpart
  10. Xbox Has Reportedly Paused New Third-Party Game Pass Deals
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.