Self-Encrypting HDDs Not Really Encrypted, Store Passwords in Plain Text

[Exterminator]

Content source

http://news.softpedia.com/news/self-encrypting-hdds-not-really-encrypted-store-passwords-in-plain-text-495018.shtml

Researchers find encryption systems are really easy to crack
When it comes to privacy, computer users across the world are really willing to invest more money to keep their files away from prying eyes, and for many people, self-encrypting hard disks are the first option.

And it's no wonder why: they are really affordable and they promise to protect all the data stored on them, so they seem to provide very good quality for the money.

But that high-level encryption that they claim to offer is not as advanced as some might be tempted to believe.

Security researchers who have looked into this self-encrypting method have posted a paper on the Full Disclosure email list to provide us with an in-depth look at a problem that affects this type of HDDs in general, and the ones manufactured by Western Digital in particular. As we told you earlier today, malicious firmware updates could compromise HDD encryption, but the issue doesn't stop here.

Before stepping into more details, there's something that really needs to be taken into account: the Full Disclosure email list is the place where security researchers post their findings after contacting the parent company and not receiving an answer. In other words, Western Digital has been informed of the security problems found by these experts, but the company refused to cooperate and look into the matter. So they decided to go public with everything.

Passwords stored in plain text locally
According to Motherboard, who spoke with Matthew Green, assistant professor at Johns Hopkins University, one of the main issues, which is also impacting WD's My Passport drives, is that encryption keys are generated using the C rand() function, which means that it does nothing more than to choose a random number, which is then used to encrypt the drive.

Moreover, the current time (in 32-bit timestamp format) is used as a seeding parameter when generating the key, which according to Green makes it easy to crack in a short time even with a single PC, so no super computer is needed.

As if it wasn't easy enough to crack such a password, it doesn't stop here. Passwords are actually stored on the hard drive in plain text.

WD: We're looking into the matter
As far as Western Digital is concerned, the issue is not as worrying as we tend to believe. The company said in a statement for the aforementioned source that while they have already talked to security researchers regarding the encryption used on some HDD models, they are still “evaluating the observations.”

“We highly value and encourage this kind of responsible community engagement because it ultimately benefits our customers by making our products better. We encourage all security researchers to responsibly report potential security vulnerabilities or concerns to WD Customer Service and Support,” a spokesperson said.

The bottom line? Don't trust a self-encrypting HDD and make sure you don't copy critical data on such a drive. Any password can be cracked, but in Western Digital's case, it all becomes painfully easy.

 

[Kumaran]

A team of researchers has decided to check whether the encryption offered by Western Digital's My Passport external self-encrypting hard drives is effective and unbreakable as it should be. Unfortunately, the results of their research revealed that the devices are riddled with vulnerabilities, which can be exploited by attackers to access the data stored on them.

Depending on the model, the drives connect to host computers using USB 2.0, USB 3.0, Thunderbolt or Firewire. The are sold pre-formatted, pre-encrypted, and work with free software from the manufacturer. The researchers tested different models from the My Passport series, sporting six different hardware models.

"We developed several different attacks to recover user data from these password protected and fully encrypted external hard disks," they noted in their paper. "In addition to this, other security threats are discovered, such as easy modification of firmware and on-board software that is executed on the users PC, facilitating evil maid and badUSB attack scenarios, logging user credentials and spreading of malicious code."

The Key Encryption Key (KEK), which is a hash derived from the user password and is needed to unlock the drives and to retrieve the Data Encryption Key (DEK), should be difficult for an attacker to crack but, due to security weaknesses in the firmware, off-device password brute-force attacks are possible.

Weak key material, predictable RNG generators, easily modifiable firmware, backdoors for instant KEK and DEK decryption were all found in the various versions of the devices, making the promise offered by the manufacturer - that of keeping the users' data secure - effectively empty.

These findings also raise another fundamental question: How can we trust this and other manufacturers' claims when it comes to encryption? Also, this example shows why we need security researchers to test out those claims, and why we should support the practice, and not try to hinder it.

Western Digital has commented the findings by saying that they have been "in a dialogue" with the researchers, and that they "continue to evaluate the observations."

"We highly value and encourage this kind of responsible community engagement because it ultimately benefits our customers by making our products better. We encourage all security researchers to responsibly report potential security vulnerabilities or concerns to WD Customer Service and Support," WD spokeswoman Heather Skinner told The Register. Read more

 

[LabZero]

If I decide to encrypt my HDD, I would use VeraCrypt.
VeraCrypt is a fork of TrueCrypt but compared to TrueCrypt, it uses some improvements that provide even higher protection level.

 

[upnorth]

The audit made on TrueCrypt is very interesting and one of the main reason why I personal still use it.

Check it out if you like: Open Crypto Audit Project