Western Digital Hard Drives Feature Multiple Security Flaws: Report

Advertisement
By Manish Singh | Updated: 21 October 2015 11:46 IST
Western Digital Hard Drives Feature Multiple Security Flaws: Report

According to researchers, several vulnerabilities have been found in the built-in encryption offered with Western Digital hard drives. The vulnerabilities, if exploited, can give an attacker access to the data on a password-protected hard drive. The hard drive manufacturer has acknowledged the existence of flaws in its hardware-based encryption but did not reveal if it was working on a fix.

Security researchers Gunnar Alendal, Christian Kison, and one who goes by the alias "modg," investigated how the self-encryption feature is implemented in several popular Western Digital My Passport and My Book models. The researchers presented a paper last month titled "got HW crypto? On the (in)security of a Self-Encrypting Drive series" reporting vulnerabilities in the abovementioned hard drive models. They found that the hard drive models depending on the type of microchip they used for the encryption had various types of design flaws.

The researchers said most hard drive brands come with a built-in capability to encrypt all stored data. The hard drive uses strings to create DEK, the data encryption key. In theory, it produces 32 bytes, which should still be hard enough to decrypt. But as security researchers noted, the algorithm which the hard drive uses encapsulates just repetitions of a four-byte value.

The researchers also found flaws in the USB bridge chips used in WD drives. If exploited, the flaw allowed an attacker to gain backdoor access to the encrypted data. In some cases, furthermore, the researchers found that the chip stored the key in plain text in its EEPROM, making it easy to recover it.

Advertisement

"We developed several different attacks to recover user data from these password-protected and fully encrypted external hard disks," the researchers noted. "In addition to this, other security threats are discovered, such as easy modification of firmware and on-board software that is executed on the user's PC, facilitating evil maid and badUSB attack scenarios, logging user credentials, and spreading of malicious code."

Newer My Passport hard drives use JMicron JMS569 that can be forcibly unlocked using forensic tools able to access unencrypted portions of the drive. These forensic tools are commercially available.

Advertisement

The researchers also noted that the firmware update process on the tested hard drives did not use cryptographic signature verification which makes it prone to attacks. In theory, one can riddle the firmware with malware and infect host computers and even add cryptographic backdoors in them.

Security researchers said that they have informed the hard drive company about the vulnerabilities, and that they are not aware if the company is working on a fix. A Western Digital representative told Forbes, that the company continues "to evaluate the observations."

 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Vivo Y400 Pro 5G India Launch Date Confirmed; Design Revealed
  2. Poco F7 Launch Date, Price in India, Design and Key Features Leaked Online
  3. Realme Narzo 80 Lite 5G Launched in India With 6,000mAh Battery: See Price
  4. OnePlus Nord 5 Series, OnePlus Buds 4 to Launch in India on This Date
  5. Boat SmartRing Active Plus Launched in India: Check Price, Features
  6. Samsung Galaxy Z Fold 7, Galaxy Z Flip 7 May Get Big Gemini Live Upgrades
  7. Xiaomi Pad 7S Pro Launch Date, Key Specifications Revealed Ahead of Launch
  8. Oppo K13x 5G India Launch Date, Price Range and Key Features Revealed
  9. You Can Now Download Generated Canvas in ChatGPT
  1. Hisense U7Q Mini-LED TV With 144Hz Gaming Support, Built-in Subwoofer Launched in India
  2. OnePlus Nord 5, Nord CE 5, and Buds 4 India Launch Date Set for July 8; Key Features, Availability Revealed
  3. OpenAI Makes Canvas in ChatGPT Downloadable, Adds New Capabilities to Projects
  4. Poco F7 Launch Date and Price in India Leaked; Design, Key Features Tipped Again
  5. Vivo X200 FE Confirmed to Launch Soon in Global Markets; Pre-Reservations Begin
  6. Xiaomi Pad 7S Pro Launch Date, Key Specifications Including XRING O1 Chip Revealed
  7. Crypto Price Today: Bitcoin Edges Past $106,000 in Modest Recovery; Altcoins See Gains
  8. Apple to Ship 2.8 Million iPhone Units in India in Q2 2025 Despite Seasonal Slowdown, Heat Wave: Report
  9. Nintendo Switch 2 Sets All-Time Launch Week Sales Record in the US, Beating Sony's PS4
  10. Google’s Plan to Buy Security Firm Wiz Gets Antitrust Review
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.