western digitals hard drive encryption useless
Last Updated : GMT 05:17:37
Emiratesvoice, emirates voice
Emiratesvoice, emirates voice
Last Updated : GMT 05:17:37
Emiratesvoice, emirates voice

Western Digital's hard drive encryption useless

Emiratesvoice, emirates voice

Emiratesvoice, emirates voice Western Digital's hard drive encryption useless

Digital's portable hard drives
Tehran - FNA

The encryption systems used in Western Digital's portable hard drives are pretty pointless, according to new research.

WD's My Passport boxes automatically encrypt data as it is written to disk and decrypt the data as it is read back to the computer. The devices use 256-bit AES encryption, and can be password-protected: giving the correct password enables the data to be successfully accessed, The Register reported.

Now, a trio of infosec folks – Gunnar Alendal, Christian Kison and "modg" – have tried out six models in the WD My Passport family, and found blunders in the software designs.

For example, on some models, the drive's encryption key can be trivially brute-forced, which is bad news if someone steals the drive: decrypting it is child's play. And the firmware on some devices can be easily altered, allowing an attacker to silently compromise the drive and its file systems.

"We developed several different attacks to recover user data from these password-protected and fully encrypted external hard disks," the trio's paper [PDF] [slides PDF] states.

"In addition to this, other security threats are discovered, such as easy modification of firmware and on-board software that is executed on the user's PC, facilitating evil maid and badUSB attack scenarios, logging user credentials, and spreading of malicious code."

My Passport models using a JMicron JMS538S micro-controller have a pseudorandom number generator that is not cryptographically secure, and merely cycles through a sequence of 255 32-bit values. This generator is used to create the data encryption key, and the drive firmware leaks enough information about the state of the random number generator for this key to be recreated, we're told.

"An attacker can regenerate any DEK [data encryption key] generated from this vulnerable setup with a worst-case complexity of close to 240," the paper states.

"Once the DEK [data encryption key] is recovered, an attacker can read and decrypt any raw disk sector, revealing decrypted user data. Note that this attack does not need, nor reveals, the user password."

Drive models using a JMicron JMS569 controller – which is present in newer My Passport products – can be forcibly unlocked using commercial forensic tools that access the unencrypted system area of the drive, we're told.

Drives using a Symwave 6316 controller store their encryption keys on the disk, encrypted with a known hardcoded AES-256 key stored in the firmware, so recovery of the data is trivial.

It must be stressed that the flaws are in WD's software running on these microcontrollers, rather than the chips themselves.

Meanwhile, Western Digital says it is on the case.

"WD has been in a dialogue with independent security researchers relating to their security observations in certain models of our My Passport hard drives," spokeswoman Heather Skinner told The Register in a statement.

"We continue to evaluate the observations. We highly value and encourage this kind of responsible community engagement because it ultimately benefits our customers by making our products better. We encourage all security researchers to responsibly report potential security vulnerabilities or concerns to WD Customer Service and Support."

 

Name *

E-mail *

Comment Title*

Comment *

: Characters Left

Mandatory *

Terms of use

Publishing Terms: Not to offend the author, or to persons or sanctities or attacking religions or divine self. And stay away from sectarian and racial incitement and insults.

I agree with the Terms of Use

Security Code*

western digitals hard drive encryption useless western digitals hard drive encryption useless

 



Name *

E-mail *

Comment Title*

Comment *

: Characters Left

Mandatory *

Terms of use

Publishing Terms: Not to offend the author, or to persons or sanctities or attacking religions or divine self. And stay away from sectarian and racial incitement and insults.

I agree with the Terms of Use

Security Code*

western digitals hard drive encryption useless western digitals hard drive encryption useless

 



GMT 09:54 2018 Wednesday ,24 January

'Friendly and kind' N. Korean skaters

GMT 09:36 2017 Thursday ,07 December

Heidy Karam’s contract to present talk show close

GMT 10:50 2012 Friday ,20 January

Dusty weather expected in UAE on Friday

GMT 09:35 2018 Saturday ,13 January

New Zealand bat first in third ODI against Pakistan

GMT 10:48 2017 Saturday ,23 December

Meryl Streep's brand under threat

GMT 06:53 2017 Thursday ,11 May

17th Doha Forum To Begin Sunday

GMT 10:30 2017 Thursday ,23 November

Reports underline proliferation of weapons in Arab world

GMT 07:46 2017 Monday ,30 October

Catch it early, treat it early and move on

GMT 08:05 2015 Tuesday ,17 February

Conan O'Brien is first late night host to film in Cuba

GMT 16:17 2018 Thursday ,30 August

Five Saudi women pilots granted GACA licences
 
 Emirates Voice Facebook,emirates voice facebook  Emirates Voice Twitter,emirates voice twitter Emirates Voice Rss,emirates voice rss  Emirates Voice Youtube,emirates voice youtube  Emirates Voice Youtube,emirates voice youtube

Maintained and developed by Arabs Today Group SAL.
All rights reserved to Arab Today Media Group 2021 ©

Maintained and developed by Arabs Today Group SAL.
All rights reserved to Arab Today Media Group 2021 ©

emiratesvoieen emiratesvoiceen emiratesvoiceen emiratesvoiceen
emiratesvoice emiratesvoice emiratesvoice
emiratesvoice
بناية النخيل - رأس النبع _ خلف السفارة الفرنسية _بيروت - لبنان
emiratesvoice, Emiratesvoice, Emiratesvoice