Western Digital self encrypting hard drives are having security flaws with which attackers can physically access and retrieve the data with little effort and in some cases without even knowing the decryption password.
A whitepaper released recited a litany of weaknesses in the multiple versions of My Passport and My Book brands of external hard drives. The flaws make it possible for people to steal vulnerable drive information to decrypt contents, even when they are locked won with a long and randomly generated password.
Thus, with the discovery of security vulnerabilities on WD My Passport and My Book drives it is clear that both authentication and confidentiality of user data is at high risk when users use their drives for enterprise needs.
Most of the disks studied encrypt and decrypt data using a USB bridge that connects a computer to the external drive’s SATA interface. The interface is supposed to be off limits until after the computer user has entered the correct password, and to prevent cracking attacks that try billions of password guesses each second, the plain-text passcode is cryptographically salted and subjected to 1,000 iterations of the SHA256 hash function.
But a constellation of errors makes it possible to crack the password in a short amount of time. In one case, the underlying key was predictable because the random numbers used to generate it was derived from the current time on the computer clock. That flaw was fixed last year, but it’s likely many people with vulnerable drives have no idea they’re at risk. In other cases, it was possible to extract the hash off the drive and load it onto a computer so it could be subjected to off-line cracking.
Yet another flaw constitutes the equivalent of a backdoor that could allow an attacker to decrypt data without knowing or cracking the user password at all. The drives ship with a default password, but in cases where it has been changed to a user-defined password only once, the key corresponding to the default password remains stored on the device, making it trivial for adversaries to decrypt it. The flaw can overcome by resetting the password a second time, but without that knowledge, its likely many users will not take the time to do so.
More details are available on the 36-page whitepaper accessible through the following link
Hope, Western Digital wakes up early and finds a solution for this menace asap!