back to article Western Digital's hard drive encryption is useless. Totally useless

The encryption systems used in Western Digital's portable hard drives are pretty pointless, according to new research. It appears anyone getting hold of the vulnerable devices can easily decrypt them. WD's My Passport boxes automatically encrypt data as it is written to disk and decrypt the data as it is read back to the …

  1. Robert Heffernan

    NSA?

    So much for *THAT* NSA back door!

    1. GrumpyOldBloke

      Re: NSA?

      Sounds more like a local law enforcement backdoor. WD drinking the surveillance state kool aid.

      1. Bob H

        Re: NSA?

        Hanlon's Razor applies here:

        "Never attribute to malice that which is adequately explained by stupidity."

        1. Roo
          Windows

          Re: NSA?

          Willful Stupidity isn't covered by Hanlon's Razor. ;)

        2. Michael Wojcik Silver badge

          Re: NSA?

          Hanlon's Razor applies here

          Well, I'm not inclined to assume the fell hand of government, large or local, in something like this; WD My Passport drives seem a bit beneath the NSA's notice, and local LEOs are rarely sufficiently on the ball to even know they could request a back door.

          On the other hand, the WD implementation is so obviously and badly broken that I have to feel someone at WD is culpable. Some manager agreed to create an encrypted-drive product, then either deliberately sabotaged it, or gave it to an implementer who was completely unqualified. The latter goes beyond stupidity to at least misfeasance, it seems to me. And was there no review of any sort?

          The margins on these consumer products must be razor-thin, and I think that's the real problem. Manufacturers are looking for USPs they can add as cheaply as possible. Well, WD got a cheap implementation, all right.

  2. David 132 Silver badge
    Thumb Up

    Yikes.

    But... if that was their actual response, then kudos to WD for being sensible in their response, and acknowledging it as an opportunity to do better.

    Rather than taking the all-too-common-in-the-industry approach of threating to drop a lawsuit-bomb on the security researchers and/or invoking the DMCA.

    1. werdsmith Silver badge

      Re: Yikes.

      Yes, in most of these cases the appropriate thing to do would be to pay the people who find the problem if they inform the manufacturer first. Normally pen testing is a paid for service, people are willing to do it for free. Give them a few grand for first alert and you've got yourself a nice crowd-sourced test phase.

  3. Bota

    If it wasn't for those pesky kids!

    1. Michael Wojcik Silver badge

      And their craven, anthropomorphic dog!

  4. Gene Cash Silver badge

    My Seagate has excellent encryption

    *Nobody* can read any data off the drive...

    1. FrankAlphaXII

      Re: My Seagate has excellent encryption

      Two of my 2010-ish 1 TB Seagates had that same "feature". Both failed spectacularly within a matter of months.

      1. Michael Wojcik Silver badge

        Re: My Seagate has excellent encryption

        A similar feature is available with the Hitachi DeathTravelStar.

    2. JCitizen
      Coffee/keyboard

      Re: My Seagate has excellent encryption

      You do know that Seagate and WD are the same company, don't you?

  5. Ian 55

    "a pseudorandom number generator that .. only cycles through a series of 255 32-bit values."

    It's almost impressively stupid.

    If only they'd gone for PRN generator that gave a full 4096 bits.. that was one of two different values.

    1. Fibbles

      Re: "a pseudorandom number generator that .. only cycles through a series of 255 32-bit values."

      Obligatory XKCD.

      1. James Hughes 1

        Re: "a pseudorandom number generator that .. only cycles through a series of 255 32-bit values."

        Impressively stupid appears to be an understatement....

  6. 2+2=5 Silver badge
    Joke

    "Totally useless"

    Can I have my caption competition entries back please?

  7. Anonymous Coward
    Anonymous Coward

    Someone please put the cork back on the fork...

    That's it, no more embedded device people doing security without a baby sitter. We need a CE mark for this or something. We also need a semester long base security class added to the CS/EE/SE degree tracks. Make them take it before they have developed bad habits.

    1. Dan 55 Silver badge
      Meh

      Re: Someone please put the cork back on the fork...

      CE mark? You mean the one that the manufacturer puts on themselves?

    2. This post has been deleted by its author

  8. ZSn

    Really?

    I'm sorry but unless the device is certified fips compliant (and perhaps not even then) you should always encrypt it before it reaches the hard drive firmware. Otherwise this is what you get - a placebo security hard drive. You feel good about security but it is all in your mind.

    1. Michael Thibault

      Re: Really?

      Most locks are 'all in your mind' i.e. if you have incentive enough (the key question being...), then you can overcome security. Not many people have incentive enough to acquire dynamite, or even a 6' crowbar, to get past a locked door... in most circumstances. But in the right circumstances, Casper Milquetoast will steal a bulldozer and take out a wall of the building in order to get into it.

      1. Pascal Monett Silver badge

        Re: "if you have incentive enough"

        Of course, objectively speaking, no security can be absolute, but if you have to resort to dynamite or bulldozing your way through a wall, you're sitting pretty in criminal territory and the consequences will be counted in years.

        As far as these disks are concerned, I don't expect a commercial product to resist to a determined NSA probe, but I do expect my data to be sufficiently encrypted so that raw data cannot be read and decrypted from it without using the password. And I do expect that the encrytion seed not be derived from a list of predetermined values.

        My company bought a few WD portable drives on the express basis that the data was *securely* encrypted. I now find that WD's security is indeed a fragile illusion that can be broken with a trivial program that will probably soon be available to download for free.

        We have confidential company data on those drives, and now we are going to have to consider that they are at risk from trivial break-in attempts. Of course, one will still have to get their hands on it first, but still, this situation is not pleasant.

        I will be following what WD does on this with great interest.

        1. Anonymous Coward
          Anonymous Coward

          Re: "if you have incentive enough"

          Suspect similar devices have similar weaknesses. A work-around is to third party encrypt inside the drive, using e.g. ghostphrase.

    2. Dave Harvey

      Re: Really?

      Why would anyone want anything to be "FIPS compliant"? To most of us outside the US of A, FIPS compliance simply means "open to the NSA" !

  9. Anonymous Coward
    Anonymous Coward

    "Totally useless" ?

    The lock on your door is "Totally useless", with a stick of dynamite or a 6 ft crowbar I can open it.

    Give one of these drives to 1000 random people on the street and see how many of them can decrypt it.

    1. a_yank_lurker Silver badge

      Re: "Totally useless" ?

      The fact the encryption may not be as strong as it should be is an issue. But you note it only has to be good enough to be effective. But is it good enough?

      1. Mark 85 Silver badge

        Re: "Totally useless" ?

        The only question then is: "effective for who or against what"? Since it sounds like the hard drive needs to physically in the hands of the attacker, then maybe it's fit for purpose if the drive never leaves the house or office. If it can be attacked while attached to the machine, that's a different problem.

        Being labeled as "portable" does imply these will be left in hotels, rental cars, buses, subways, etc. however. In which case, it's only effective if the person finding it is educated enough in the black arts to break into it.

        1. YetAnotherLocksmith

          Re: "Totally useless" ?

          In fact, it is even worse than that, because the internet. I can steal the data and wait for the tool to arrive to decrypt it. I could exfiltrate it to an expert in China/US/wherever, at nearly no cost.

          Not like a lock - you can't hack most front door locks because you are not physically there. And help via the Internet won't, mostly.

          Note the analogy is faulty - these attacks require physical access to the drive. But the decode can be done later. You could do it by taking the lock but people tend to notice. Not so much with a few terabytes of data.

        2. jason 7

          Re: "Totally useless" ?

          Some people really do go over the top when it comes to encryption. Plus why do most here think they are special enough to warrant in depth attention from the NSA.

          I would bet you don't.

          Yes this product is flawed but how will it stack up in 99.9% of the cases it would need encryption.

          i.e. will it stop Mum/Wife/Girlfriend/Guy who finds it on the seat of the train from looking at it, there fore avoid embarrassing episode?

          I'd say so.

    2. redpawn Silver badge

      Re: "Totally useless" ?

      The random person is not the one you are worried about. The one going after your drive probably has some nice tools whether they be from governmental sources or otherwise. Your hotel maid at the next conference you attend has a pretty good chance of not being random.

      1. Aitor 1

        Re: "Totally useless" ?

        If you live in the UK, you better have no encryption, less you forget the passwords.. and get jailed.

    3. Michael Wojcik Silver badge

      Re: "Totally useless" ?

      In other news, a dozen Reg commentators rediscover threat models.

  10. msknight Silver badge

    I suppose you could say that their encryption isn't worth the platter its written on.

    1. Ol' Grumpy

      *Groan* - but have an upvote anyway :)

  11. BrendHart

    Good enough for government work

    I don't think that this encryption is really meant to prevent nation states and career security researchers from accessing the data. For the average private user or small to medium businessman the encryption should be good enough to discourage your average thief from gaining access to moderately sensitive data. They would rather format it and flog it for a few bucks.

    If you are storing state secrets or highly sensitive business secrets you really should pay the premium and buy a FIPS certified device.

    1. jason 7

      Re: Good enough for government work

      Spot on!

  12. Drone Pilot

    Allow the community to help?

    When will they see that it would be a really good idea to let others help with these things? Other's being the opensource community. Build the hardware, engage opensource (read: pay for the initial project), ship the hardware, revel in the popularity.

    This goes for single-disk URB drives to "home NAS'"

  13. This post has been deleted by its author

    1. Dan 55 Silver badge

      Dr. Hibbert: Homer, I'm afraid you'll have to undergo a coronary bypass operation.

      Homer: Say it in English, Doc.

      Dr. Hibbert: You're going to need open heart surgery.

      Homer: Spare me your medical mumbo jumbo.

      Dr. Hibbert: We're going to cut you open, and tinker with your ticker.

      Homer: Could you dumb it down a shade?

  14. Anonymous Coward
    Anonymous Coward

    Self Decrypting

    I've been dealing with these disks for a long time now. Not sure why it's not been mentioned yet but these disks encrypt and decrypt themselves by default, even if you don't set a password. (If you have a WD with removable USB interface, see what happens when you bypass it and connect directly to a SATA port. Doesn't apply to some of the basic enclosures.) Decryption has been trivial for at least a couple of years.

  15. Anonymous Coward
    Anonymous Coward

    Pron

    I only use encryption to keep the missus from finding my pron.

    Later I shall be googling 'evil maid.' ;-)

  16. Dan 55 Silver badge

    Do you trust a spinning rust manufacturer to get full disk encryption right?

    No. Either they use the same programmers that come up with things like their own-brand backup software or they outsource it out to the lowest bidder.

    1. Saigua

      Re: Do you trust a spinning rust manufacturer to get full disk encryption right?

      Here WD has folders full of women writing encryption for the price points and industries to suit them best, and you're certain the reason they don't mainstream 8-128kbit AES keys for shopboys is because they make spinning rust? Surely you've heard of their airgap line?

      It's a shipping option. (cough)

  17. a1exh

    Interesting

    I'm curious to how they worked out there was a SCSI command to dump controller SRAM

  18. GBE

    Cryptography is hard

    Well, it is.

  19. AndrueC Silver badge
    Joke

    At least the WD40 model should be immune to this problem

  20. tlhonmey

    Yeah, it's just good enough that when somebody brings me a drive where the USB controller chip has burnt out I probably can't get their stuff back, but not good enough to keep somebody who makes their living at breaking into people's computers and stealing personal information from doing so.

  21. Rups

    If it's easy...

    Could any of you help me? My WD Passport failed and the data has been encrypted so no one has been able to recover the data. I did not set a password. How can I recover all my files? I've had three companies have a look at it, one said it's impossible, the other recovered a bit, but couldn't access the rest due to the encryption.

    Please help me!

    1. brian4591

      Re: If it's easy...

      I'm in the same boat. I want to access my lost files.

      I have purchased the same WD My Book enclosure off of Ebay (since it should be able to read the drive once back on the same WD circuit board apparently). Until the enclosure arrives I will be trying to access the drive by hooking it directly to my computer.

      I'll be doing some more research to see if I can "hack" the drive prior to the new enclosure arriving.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019