Self-Encrypting Western Digital Hard Drives Easy To Crack

New submitter lesincompetent writes: Security researchers have found severe flaws in the encryption methods used in certain hard drives from Western Digital. Quoting the abstract should be enough to show how dire the situation is: "We will describe the security model of these devices and show several security weaknesses like RAM leakage, weak key attacks and even backdoors on some of these devices, resulting in decrypted user data, without the knowledge of any user credentials." The paper by Alendal, Kison and modg is available here in PDF format.

Ah good - can I get at my backups now?

[tebee]

I used an external WD hard drive for my backups, but it decided to not speak to the computer anymore last week. I assume it's the USB interface has died as it's no longer recognized by the computer.

So I pulled the drive out of it and plugged it in as in internal drive to the desktop computer. It could see the drive so it was still working, but it could not recognize the format of it.

Research showed me that western digital use a hardware encryption chip on the driver board to protect user data.

So if someone steals the hard drive out of my external drive they won't be able to read my data. If, on the other hand they steal the whole external hard drive, they will have the encryption chip too and can just plug it into their usb and read everything of mine.

This seems a spectacularly useless feature which just makes life hard for me - but maybe I can fix it now !

Re:

[inasity_rules]

Wait... Seriously? There is not even a passcode you need to enter?

Re:

[bloodhawk]

There is a password, it is just useless. sounds like the OP doesn't understand what he is seeing though.

Re:

[Anonymous Coward]

No, that's not what that is. The cryptography happens on the actual drive, not in the USB-SATA adapter. For several reasons, hard disks have begun using 4K sectors instead of 512B sectors, and USB-SATA adapters have gained the capability of presenting a hard disk with 4K sectors as if it used 512B sectors and vice-versa. If you remove the drive from the enclosure, you see the effect of that remapping that some USB-SATA adapters perform. Suddenly all offsets in partition tables and filesystems are wrong, bec

Re:

[Anonymous Coward]

I should've read the article. There are indeed some WD USB disks where the USB-SATA adapter performs the encryption. Anyhow, if you never installed WD-provided software for your drive and never entered a password, the more likely explanation is still a sector size remapping. Try to read raw sectors from the disk and pipe them through "strings" to see if there is any recognizable content: dd if=/dev/sdx | strings where /dev/sdx is the device name of the disk.

Re:

[goarilla]

I usually do xxd /dev/sdx | fgrep 'R.NTFS' to find NTFS drives. But yes some WD USB disks use the password to encrypt the master key situated on the small adapter card.

Re:

[goarilla]

At least that's how I think they do it.

Re: Ah good - can I get at my backups now?

[Anonymous Coward]

The usb clip on mine had broken off, which is a common problem. I ordered a new board, but still couldn't read the data. WD is no help of course. This article gives me a bit of hope that all is not lost.

Re:

[donaldm]

Research showed me that western digital use a hardware encryption chip on the driver board to protect user data.

Basically if your hard drive has failed and if you are a bit worried about it falling into someones hands if you discard it then the best solution is to destroy the hard disk platter.

It must be noted that it is only the hard disk that retains all your data even though the electronics may have failed or there are too many bad blocks that the disk is flagged as failed.

To destroy the hard disk is fairly simple to do, however it is best to wear eye protection just in case. Just undo the four or five screws on t

Re:

[Solandri]

So I pulled the drive out of it and plugged it in as in internal drive to the desktop computer. It could see the drive so it was still working, but it could not recognize the format of it.

Research showed me that western digital use a hardware encryption chip on the driver board to protect user data.

That's probably not the reason. A lot of recent external drives use a proprietary formatting scheme. If you remove the drive from the enclosure and plug it straight into your computer, your computer will no

Re:

[fennec]

I had the same issue with a friend's WD essential. I tried many things, I eventually managed to reflash the firmware with an older version of the update program, and it showed up after repluging it. I then saved all the content to anther drive.

Any use of this?

[Anonymous Coward]

I always thought that encryption should be handled by the OS -- not the drive, and that these "encrypting hard drives" are a gimmick to add one bullet point to the retail box and lure non-technical buyers.

Re:Any use of this?

[e70838]

hardware encryption are also a way to fight against open source. First, special drivers have to be develop to handle the features. Second, it suggest that the encryption is handled by the hardware and that there is no benefit in having the OS providing better encryption.

Re:

[cfalcon]

Pls mod up. It gains the illusion of security at the expense of actual security. Every abstraction layer that can peek into owner-controlled space (such as a physical device that can read RAM without being gated by the CPU) hurts your actual real audited software encryption. Every layer that offers hidden encryption, (such as hardware, especially hardware that gets to vet or view the output of a user controlled CPU, or hardware that sits below the owner controlled opcodes, such as a soft-updateable CPU "

Re:

[WorBlux]

How do you even know your software encryption program is actually unmodified and not modified or spied upon by parts of the OS modified to be malicious? Unless you air-gap the computer (and even that sometimes isn't enough (high-frequency listening implanted in the firmware) and keep it in a tamper-evident pouch when you aren't using it? Otherwise you need at minimum you need a verified boot chain and a cryptographically signed file-system. Yes the keys should be owner accessible or replicable, but unfortun

Re:

[WorBlux]

How many 128-bit keys can you memorize?

Re:

[nedlohs]

All of them,

Re:

[aaaaaaargh!]

Encryption at the hard drive level would be vastly superior to any encryption by the OS, if it was done correctly and with tamper-resistant chips. However, history has shown that dedicated hardware encryption devices for the consumer market practically always contain backdoors or ridiculous weaknesses. Practically always, if not always. Even expensive professional devices are only moderately trustworthy (see e.g. the "Crypto AG" story), most "professional" encryption based on closed source software or hardw

Re:

[JesseMcDonald]

If you allow the operating system to manage the key and/or passphrase entry, a hardware device offers no additional security.

As far as I can tell, the only additional security you might get from implementing the encryption in the hardware is that since disabling the drive encryption without losing data requires the lengthy step of rewriting all the data on the drive, it becomes harder to exfiltrate cleartext by writing it to the hard drive unencrypted. As attacks go, this isn't a very likely one; it still requires the attacker to gain physical access to the drive, when they probably have much better ways to get data off a running

Re:

[cfalcon]

On open piece of hardware that behaves in an owner-controlled way would be no different than your CPU. But repeatedly and endlessly, this is never what we see.

TrueCrypt

[dinfinity]

I bought one of the WD Passport drives, but I immediately decided that I didn't want to rely on a harddisk manufacturer for security and encryption (or deal with potentially very crappy software).

So I just created a TrueCrypt partition and now sometimes deal with the very slight inconvenience of having to mount it (and with the risk that TC has actually become less safe than the alternatives, of course).

Re:

[OzPeter]

Unless you throughly reviewed and and independently tested TrueCyrpt all you seem to have done is to exchange one set of assumptions for another (and you also allude to the fact that you have no idea as to the quality of TrueCrypt.)

Re:

[Sumus Semper Una]

Unless you throughly reviewed and and independently tested TrueCyrpt all you seem to have done is to exchange one set of assumptions for another (and you also allude to the fact that you have no idea as to the quality of TrueCrypt.)

Unless you have the time and the background to understand each choice you will ever be given, you're going to have to make some assumptions in life. Does it not make more sense to assume that well known software whose sole purpose is encryption might be better than software added on by a manufacturer who is not necessarily well known to be knowledgeable in encryption practices?

Re:

[OzPeter]

Does it not make more sense to assume that well known software whose sole purpose is encryption might be better than software added on by a manufacturer who is not necessarily well known to be knowledgeable in encryption practices?

I think you are trying for a definition of irony here - countering my assertions on the unknown state of knowledge when applying assumptions - with an assumption.

Re:

[dinfinity]

Your logic is flawed. Just because something is an assumption doesn't mean it is as unreliable as any other assumption.

Honestly, do you not see the stupidity of trying to lecture me on a decision that has already proven to be the right one and the irony of doing so in the comments on an article that actually provides that proof?
WD's products have proven to suck at cryptography and security. TC has not (yet).
WD makes harddisks. TCs is a product aimed 100% at cryptography and security.

Lumping them both togeth

Re:

[OzPeter]

So when did you come to the realization that WD cryptography is crap? Was it before this report came out? Or are you only jumping on the bandwagon now and post hoc claiming the validity of your decision?

Prior to this report you'd think that it was a reasonable assumption that a company with a $17B market cap could hire as many cryptography experts as they wanted to work on their products rather than pass it off to the current intern. But no, your decision was not based on any facts but rather an emotiona

Re:

[dinfinity]

Was it before this report came out? Or are you only jumping on the bandwagon now and post hoc claiming the validity of your decision?

No. I made the decision for the reason I mentioned. My experience with most manufacturers doing things that are outside of their core business is that those things tend to suck (badly).

Prior to this report you'd think that it was a reasonable assumption that a company with a $17B market cap could hire as many cryptography experts as they wanted to work on their products rather than pass it off to the current intern. But no, your decision was not based on any facts but rather an emotional response to your beliefs of the relative merits of each product.

It is irrelevant how many experts they could hire. It is relevant how many experts they probably would hire. They know fuck-all about cryptography and security and are very probably not going to understand how much time and effort is required to do them right. I also don't believe they care enough about doing it right. It's m

Re:

[GameboyRMH]

Why haven't you moved to VeraCrypt [codeplex.com] yet?

Re:

[dinfinity]

I don't really trust VeraCrypt yet.

Last time I checked, it was a product of just one French guy who may not even have a very, very solid understanding of cryptography. Even if he's not malicious, his well-intended changes might be making the product worse rather than better.

I'll reevaluate it at some point in the near future, however.

Do not trust firmware or embedded hardware

[gweihir]

The researchers managed to break in because of gross design and implementation errors. Even venerable and well-known (and utterly stupid) faults like low-entropy key generation make several appearances, as do possibilities to simply read keys from EEPROM or disk or keys encrypted with a static key and stored on the device itself without the need to do so. The only valid conclusion is that none of the "engineers" involved have any reasonable level of experience and knowledge as to how to implement cryptography right. As a consequence they all fail.

Re:

[goarilla]

I wonder if the same people implement their Enterprise SED schemes.

Re:

[gweihir]

Probably. Nobody is going to analyze these anyways, far too for expensive. And why have a second design team when you already have one that does fine work?

Re:

[fuzzyfuzzyfungus]

They may or may not have any better people on the job; but 'enterprise' SED usually means 'TCG Opal Compliant', which would require a different implementation than the drives described here. I don't know how well that spec prevents shoddy implementations; but it involves a bunch of standardized interaction between the drive, OS/driver, and TPM; while the 'encryption' here is purely between WD's lousy software and their dodgy little USB/SATA bridge chip.

I don't know how much better the situation is or isn

Re:

[gweihir]

It would be different, yes. But if the same clueless people did it, I have no doubt they found ways to screw it up.

Re:

[swb]

I would think that encryption at the OS level would be a safer concept anyway. It's closer to where the data is actually used and generated and guarantees that the data is encrypted no matter what device a given system is writing to.

It's not hard to see situations where an OS is moved to other hardware or backing storage is changed. Relying on encrypted disks providing that suddenly means it's unencrypted.

Re:

[aaaaaaargh!]

Encryption at the OS level is very insecure, because common operating systems are very insecure.

But I agree that in the end the difference doesn't matter, since the only secure hardware encryption would be an external drive with independent key entry, i.e. an external drive with its own keypad. Why use a hardware device if a simple keystroke logger is enough to "break the encryption"?

Re:

[gweihir]

At the same time, your argument is completely irrelevant as this is only about protecting data-at-rest, i.e. the OS does the encryption, but it is not running at attack time. Unless the OS screws up the encryption itself, it will be secure.

Re:

[GrumpySteen]

The only valid conclusion is that none of the "engineers" involved have any reasonable level of experience and knowledge as to how to implement cryptography right.

Hooray for outsourcing engineering to the lowest bidder from India!

Re:

[gweihir]

Or China. I once was on the phone with a crypto-implementer in China for a very well known US company, and I had to explain basic encryption concepts to him.

Re:

[silas_moeckel]

But I am sure his resume said he had decades of experience and several PHD's in the subject even though he was only 25.

Re: Do not trust firmware or embedded hardware

[bill_mcgonigle]

The only valid conclusion is that none of the "engineers" involved have any reasonable level of experience and knowledge as to how to implement cryptography right. As a consequence they all fail.

Generally speaking, everybody gets crypto wrong. The factors that we can control are how many people are looking at the code and how good is the reputation of the authors.

Who wrote the WD firmware? A low bidder anonymous tech firm? An intern working on reference demo code?

Smart people will run LUKS on their drive

Re:

[gweihir]

The NSA is mostly signals intelligence. The attacks here are for physical access to the unplugged device. This does not fit.

Re:

[cfalcon]

Given that all brands are generally manufactured in similar facilities (down to the fact that when there was a tsunami in one specific area, ain't nobody shipping shit for months), why do you think this? Can you link to something?

Business as usual

[UberVegeta]

"Quoting the abstract should to be enough" Business as usual on /. then.

Re:

[Solandri]

Can anyone think of a case where the encryption on these drives is somehow useful to the owner?

They're used on corporate laptops where sensitive data is stored on the HDD, in case the laptop is lost or stolen. Even if the laptop is protected by a BIOS password and a Windows password, someone can still remove the HDD, connect it to a different computer, and access the data that way. Encrypting the HDD prevents that mode of attack.

NopeNopeNopeNope...

[Aaden42]

From TF-PDF:

These hard drives comes pre-formatted, pre-encrypted

So WD by definition knew the AES key the drive was encrypted with. Even if they did everything else perfectly (which they clearly didn't), somebody besides you knew the key. Fail...

Shocking news

[JustAnotherOldGuy]

"...several security weaknesses like RAM leakage, weak key attacks and even backdoors on some of these devices, resulting in decrypted user data, without the knowledge of any user credentials."

I know I'm simply stunned by this hard-to-believe finding.

It's almost like somebody somewhere intended for the drive to be able to be read in spite of all the super-duper-mega-awesome data protection whatchamacallit stuff.

Either that or all of the engineers at Western Digital involved in designing this thing are utter morons who have no idea what they're doing.

Re:

[antdude]

Most likely "Either that or all of the engineers at Western Digital involved in designing this thing are utter morons who have no idea what they're doing."