So much for *THAT* NSA back door!
The encryption systems used in Western Digital's portable hard drives are pretty pointless, according to new research. It appears anyone getting hold of the vulnerable devices can easily decrypt them. WD's My Passport boxes automatically encrypt data as it is written to disk and decrypt the data as it is read back to the …
Hanlon's Razor applies here
Well, I'm not inclined to assume the fell hand of government, large or local, in something like this; WD My Passport drives seem a bit beneath the NSA's notice, and local LEOs are rarely sufficiently on the ball to even know they could request a back door.
On the other hand, the WD implementation is so obviously and badly broken that I have to feel someone at WD is culpable. Some manager agreed to create an encrypted-drive product, then either deliberately sabotaged it, or gave it to an implementer who was completely unqualified. The latter goes beyond stupidity to at least misfeasance, it seems to me. And was there no review of any sort?
The margins on these consumer products must be razor-thin, and I think that's the real problem. Manufacturers are looking for USPs they can add as cheaply as possible. Well, WD got a cheap implementation, all right.
But... if that was their actual response, then kudos to WD for being sensible in their response, and acknowledging it as an opportunity to do better.
Rather than taking the all-too-common-in-the-industry approach of threating to drop a lawsuit-bomb on the security researchers and/or invoking the DMCA.
Yes, in most of these cases the appropriate thing to do would be to pay the people who find the problem if they inform the manufacturer first. Normally pen testing is a paid for service, people are willing to do it for free. Give them a few grand for first alert and you've got yourself a nice crowd-sourced test phase.
That's it, no more embedded device people doing security without a baby sitter. We need a CE mark for this or something. We also need a semester long base security class added to the CS/EE/SE degree tracks. Make them take it before they have developed bad habits.
Most locks are 'all in your mind' i.e. if you have incentive enough (the key question being...), then you can overcome security. Not many people have incentive enough to acquire dynamite, or even a 6' crowbar, to get past a locked door... in most circumstances. But in the right circumstances, Casper Milquetoast will steal a bulldozer and take out a wall of the building in order to get into it.
Of course, objectively speaking, no security can be absolute, but if you have to resort to dynamite or bulldozing your way through a wall, you're sitting pretty in criminal territory and the consequences will be counted in years.
As far as these disks are concerned, I don't expect a commercial product to resist to a determined NSA probe, but I do expect my data to be sufficiently encrypted so that raw data cannot be read and decrypted from it without using the password. And I do expect that the encrytion seed not be derived from a list of predetermined values.
My company bought a few WD portable drives on the express basis that the data was *securely* encrypted. I now find that WD's security is indeed a fragile illusion that can be broken with a trivial program that will probably soon be available to download for free.
We have confidential company data on those drives, and now we are going to have to consider that they are at risk from trivial break-in attempts. Of course, one will still have to get their hands on it first, but still, this situation is not pleasant.
I will be following what WD does on this with great interest.
The only question then is: "effective for who or against what"? Since it sounds like the hard drive needs to physically in the hands of the attacker, then maybe it's fit for purpose if the drive never leaves the house or office. If it can be attacked while attached to the machine, that's a different problem.
Being labeled as "portable" does imply these will be left in hotels, rental cars, buses, subways, etc. however. In which case, it's only effective if the person finding it is educated enough in the black arts to break into it.
In fact, it is even worse than that, because the internet. I can steal the data and wait for the tool to arrive to decrypt it. I could exfiltrate it to an expert in China/US/wherever, at nearly no cost.
Not like a lock - you can't hack most front door locks because you are not physically there. And help via the Internet won't, mostly.
Note the analogy is faulty - these attacks require physical access to the drive. But the decode can be done later. You could do it by taking the lock but people tend to notice. Not so much with a few terabytes of data.
Some people really do go over the top when it comes to encryption. Plus why do most here think they are special enough to warrant in depth attention from the NSA.
I would bet you don't.
Yes this product is flawed but how will it stack up in 99.9% of the cases it would need encryption.
i.e. will it stop Mum/Wife/Girlfriend/Guy who finds it on the seat of the train from looking at it, there fore avoid embarrassing episode?
I'd say so.
The random person is not the one you are worried about. The one going after your drive probably has some nice tools whether they be from governmental sources or otherwise. Your hotel maid at the next conference you attend has a pretty good chance of not being random.
I don't think that this encryption is really meant to prevent nation states and career security researchers from accessing the data. For the average private user or small to medium businessman the encryption should be good enough to discourage your average thief from gaining access to moderately sensitive data. They would rather format it and flog it for a few bucks.
If you are storing state secrets or highly sensitive business secrets you really should pay the premium and buy a FIPS certified device.
When will they see that it would be a really good idea to let others help with these things? Other's being the opensource community. Build the hardware, engage opensource (read: pay for the initial project), ship the hardware, revel in the popularity.
This goes for single-disk URB drives to "home NAS'"
Dr. Hibbert: Homer, I'm afraid you'll have to undergo a coronary bypass operation.
Homer: Say it in English, Doc.
Dr. Hibbert: You're going to need open heart surgery.
Homer: Spare me your medical mumbo jumbo.
Dr. Hibbert: We're going to cut you open, and tinker with your ticker.
Homer: Could you dumb it down a shade?
I've been dealing with these disks for a long time now. Not sure why it's not been mentioned yet but these disks encrypt and decrypt themselves by default, even if you don't set a password. (If you have a WD with removable USB interface, see what happens when you bypass it and connect directly to a SATA port. Doesn't apply to some of the basic enclosures.) Decryption has been trivial for at least a couple of years.
Here WD has folders full of women writing encryption for the price points and industries to suit them best, and you're certain the reason they don't mainstream 8-128kbit AES keys for shopboys is because they make spinning rust? Surely you've heard of their airgap line?
It's a shipping option. (cough)
Yeah, it's just good enough that when somebody brings me a drive where the USB controller chip has burnt out I probably can't get their stuff back, but not good enough to keep somebody who makes their living at breaking into people's computers and stealing personal information from doing so.
Could any of you help me? My WD Passport failed and the data has been encrypted so no one has been able to recover the data. I did not set a password. How can I recover all my files? I've had three companies have a look at it, one said it's impossible, the other recovered a bit, but couldn't access the rest due to the encryption.
Please help me!
I'm in the same boat. I want to access my lost files.
I have purchased the same WD My Book enclosure off of Ebay (since it should be able to read the drive once back on the same WD circuit board apparently). Until the enclosure arrives I will be trying to access the drive by hooking it directly to my computer.
I'll be doing some more research to see if I can "hack" the drive prior to the new enclosure arriving.
Biting the hand that feeds IT © 1998–2019