Slashdot Mirror

← Back to Stories (view on slashdot.org)

Self-Encrypting Western Digital Hard Drives Easy To Crack

Posted by Soulskill on from the don't-roll-your-own-encryption dept.

New submitter lesincompetent writes: Security researchers have found severe flaws in the encryption methods used in certain hard drives from Western Digital. Quoting the abstract should be enough to show how dire the situation is: "We will describe the security model of these devices and show several security weaknesses like RAM leakage, weak key attacks and even backdoors on some of these devices, resulting in decrypted user data, without the knowledge of any user credentials." The paper by Alendal, Kison and modg is available here in PDF format.

48 of 74 comments (clear)

  1. Ah good - can I get at my backups now? by tebee · · Score: 3, Insightful

    I used an external WD hard drive for my backups, but it decided to not speak to the computer anymore last week. I assume it's the USB interface has died as it's no longer recognized by the computer.

    So I pulled the drive out of it and plugged it in as in internal drive to the desktop computer. It could see the drive so it was still working, but it could not recognize the format of it.

    Research showed me that western digital use a hardware encryption chip on the driver board to protect user data.

    So if someone steals the hard drive out of my external drive they won't be able to read my data. If, on the other hand they steal the whole external hard drive, they will have the encryption chip too and can just plug it into their usb and read everything of mine.

    This seems a spectacularly useless feature which just makes life hard for me - but maybe I can fix it now !

    --
    N.B. this user is far too lazy to write a witty and intelligent sig.
    1. Re:Ah good - can I get at my backups now? by inasity_rules · · Score: 1

      Wait... Seriously? There is not even a passcode you need to enter?

      --
      I have determined that my sig is indeterminate.
    2. Re:Ah good - can I get at my backups now? by bloodhawk · · Score: 1

      There is a password, it is just useless. sounds like the OP doesn't understand what he is seeing though.

    3. Re:Ah good - can I get at my backups now? by Anonymous Coward · · Score: 1

      No, that's not what that is. The cryptography happens on the actual drive, not in the USB-SATA adapter. For several reasons, hard disks have begun using 4K sectors instead of 512B sectors, and USB-SATA adapters have gained the capability of presenting a hard disk with 4K sectors as if it used 512B sectors and vice-versa. If you remove the drive from the enclosure, you see the effect of that remapping that some USB-SATA adapters perform. Suddenly all offsets in partition tables and filesystems are wrong, because they reference a different sector size. To read the data again, you need to put the drive in an enclosure which has a USB-SATA adapter that uses the same mapping. The data on the actual drive is either transparently encrypted or not encrypted at all. Either way, that's not the reason why you can't read the data right now.

    4. Re:Ah good - can I get at my backups now? by Anonymous Coward · · Score: 1

      I should've read the article. There are indeed some WD USB disks where the USB-SATA adapter performs the encryption. Anyhow, if you never installed WD-provided software for your drive and never entered a password, the more likely explanation is still a sector size remapping. Try to read raw sectors from the disk and pipe them through "strings" to see if there is any recognizable content: dd if=/dev/sdx | strings where /dev/sdx is the device name of the disk.

    5. Re:Ah good - can I get at my backups now? by goarilla · · Score: 1

      I usually do xxd /dev/sdx | fgrep 'R.NTFS' to find NTFS drives. But yes some WD USB disks use the password to encrypt the master key situated on the small adapter card.

    6. Re: Ah good - can I get at my backups now? by Anonymous Coward · · Score: 1

      The usb clip on mine had broken off, which is a common problem. I ordered a new board, but still couldn't read the data. WD is no help of course. This article gives me a bit of hope that all is not lost.

    7. Re:Ah good - can I get at my backups now? by goarilla · · Score: 1

      At least that's how I think they do it.

    8. Re:Ah good - can I get at my backups now? by donaldm · · Score: 1

      Research showed me that western digital use a hardware encryption chip on the driver board to protect user data.

      Basically if your hard drive has failed and if you are a bit worried about it falling into someones hands if you discard it then the best solution is to destroy the hard disk platter.

      It must be noted that it is only the hard disk that retains all your data even though the electronics may have failed or there are too many bad blocks that the disk is flagged as failed.

      To destroy the hard disk is fairly simple to do, however it is best to wear eye protection just in case. Just undo the four or five screws on top and remove the cover then take a small hammer or other such hard object and strike the platter, it will shatter since it is glass (hence the reason for eye protection). Next dispose off either by recycling (preferred) or land-fill. Obviously dispose of the electronics and disk shards separately.

      For SSD's you can't go wrong with a sledge hammer although that would work for pretty much all storage devices but it does leave a bit of a mess.

      Basically no organisation or criminal will even attempt to reconstitute your shattered hard disk since it would just about prove impossible to get data off. :-)

      --
      There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
    9. Re:Ah good - can I get at my backups now? by Solandri · · Score: 1

      So I pulled the drive out of it and plugged it in as in internal drive to the desktop computer. It could see the drive so it was still working, but it could not recognize the format of it.

      Research showed me that western digital use a hardware encryption chip on the driver board to protect user data.

      That's probably not the reason. A lot of recent external drives use a proprietary formatting scheme. If you remove the drive from the enclosure and plug it straight into your computer, your computer will not be able to read the data written on it. The computer can use the drive just fine if you reformat it, it just can't read data written on it while it was in the enclosure.

      My guess is this has something to do with the 2 TB limit of MBR partition disks. MBR was the default partitioning format for many versions of Windows. The HDD companies probably didn't want to field tech support calls from people complaining that their 3+ TB external HDD could only be formatted to 2 TB. So they came up with a proprietary hardware controller which allowed MBR disks to have partitions larger than 2 TB; the downside being the data cannot be read if you remove that controller and plug the drive straight into your computer.

    10. Re:Ah good - can I get at my backups now? by fennec · · Score: 1

      I had the same issue with a friend's WD essential. I tried many things, I eventually managed to reflash the firmware with an older version of the update program, and it showed up after repluging it. I then saved all the content to anther drive.

  2. Any use of this? by Anonymous Coward · · Score: 1

    I always thought that encryption should be handled by the OS -- not the drive, and that these "encrypting hard drives" are a gimmick to add one bullet point to the retail box and lure non-technical buyers.

    1. Re:Any use of this? by e70838 · · Score: 4, Insightful

      hardware encryption are also a way to fight against open source. First, special drivers have to be develop to handle the features. Second, it suggest that the encryption is handled by the hardware and that there is no benefit in having the OS providing better encryption.

    2. Re:Any use of this? by aaaaaaargh! · · Score: 1

      Encryption at the hard drive level would be vastly superior to any encryption by the OS, if it was done correctly and with tamper-resistant chips. However, history has shown that dedicated hardware encryption devices for the consumer market practically always contain backdoors or ridiculous weaknesses. Practically always, if not always. Even expensive professional devices are only moderately trustworthy (see e.g. the "Crypto AG" story), most "professional" encryption based on closed source software or hardware is snake oil anyway. Still, it could be done in a way that is much more secure than what operating systems can offer.

      If companies had a real interest in security, they would first and foremost include reliable wiping functions into their hardware. But I know of no storage device with such functionality.

    3. Re:Any use of this? by cfalcon · · Score: 1

      Pls mod up. It gains the illusion of security at the expense of actual security. Every abstraction layer that can peek into owner-controlled space (such as a physical device that can read RAM without being gated by the CPU) hurts your actual real audited software encryption. Every layer that offers hidden encryption, (such as hardware, especially hardware that gets to vet or view the output of a user controlled CPU, or hardware that sits below the owner controlled opcodes, such as a soft-updateable CPU "firmware") is full of accidental or purposeful backdoors, and reduces the ability to actually run owner-controlled programs in the first place.

    4. Re:Any use of this? by cfalcon · · Score: 1

      On open piece of hardware that behaves in an owner-controlled way would be no different than your CPU. But repeatedly and endlessly, this is never what we see.

    5. Re:Any use of this? by JesseMcDonald · · Score: 1

      If you allow the operating system to manage the key and/or passphrase entry, a hardware device offers no additional security.

      As far as I can tell, the only additional security you might get from implementing the encryption in the hardware is that since disabling the drive encryption without losing data requires the lengthy step of rewriting all the data on the drive, it becomes harder to exfiltrate cleartext by writing it to the hard drive unencrypted. As attacks go, this isn't a very likely one; it still requires the attacker to gain physical access to the drive, when they probably have much better ways to get data off a running system. Apart from that, the OS (and thus any sufficiently privileged malware) already has direct access to all the decrypted data on the drive, so in that respect it's no different from doing the encryption in software. The OS has the additional ability to tie the encryption to a hardware security module if one is available, meaning that the drive cannot be removed from the system and decrypted offline without brute-forcing a key much longer than a typical password.

      Built-in hard disk encryption is a performance optimization at most. In exchange for that small performance boost, you get attempts at security-through-obscurity with encryption-defeating bugs like the one in this article baked into the drive's firmware.

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
    6. Re:Any use of this? by WorBlux · · Score: 1

      How do you even know your software encryption program is actually unmodified and not modified or spied upon by parts of the OS modified to be malicious? Unless you air-gap the computer (and even that sometimes isn't enough (high-frequency listening implanted in the firmware) and keep it in a tamper-evident pouch when you aren't using it? Otherwise you need at minimum you need a verified boot chain and a cryptographically signed file-system. Yes the keys should be owner accessible or replicable, but unfortunately such systems rarely pass the grandma test.

    7. Re:Any use of this? by WorBlux · · Score: 1

      How many 128-bit keys can you memorize?

    8. Re:Any use of this? by nedlohs · · Score: 1

      All of them,

  3. TrueCrypt by dinfinity · · Score: 3, Informative

    I bought one of the WD Passport drives, but I immediately decided that I didn't want to rely on a harddisk manufacturer for security and encryption (or deal with potentially very crappy software).

    So I just created a TrueCrypt partition and now sometimes deal with the very slight inconvenience of having to mount it (and with the risk that TC has actually become less safe than the alternatives, of course).

    1. Re:TrueCrypt by OzPeter · · Score: 1

      Unless you throughly reviewed and and independently tested TrueCyrpt all you seem to have done is to exchange one set of assumptions for another (and you also allude to the fact that you have no idea as to the quality of TrueCrypt.)

      --
      I am Slashdot. Are you Slashdot as well?
    2. Re:TrueCrypt by GameboyRMH · · Score: 1

      Why haven't you moved to VeraCrypt yet?

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    3. Re:TrueCrypt by Sumus+Semper+Una · · Score: 1

      Unless you throughly reviewed and and independently tested TrueCyrpt all you seem to have done is to exchange one set of assumptions for another (and you also allude to the fact that you have no idea as to the quality of TrueCrypt.)

      Unless you have the time and the background to understand each choice you will ever be given, you're going to have to make some assumptions in life. Does it not make more sense to assume that well known software whose sole purpose is encryption might be better than software added on by a manufacturer who is not necessarily well known to be knowledgeable in encryption practices?

    4. Re:TrueCrypt by OzPeter · · Score: 1

      Does it not make more sense to assume that well known software whose sole purpose is encryption might be better than software added on by a manufacturer who is not necessarily well known to be knowledgeable in encryption practices?

      I think you are trying for a definition of irony here - countering my assertions on the unknown state of knowledge when applying assumptions - with an assumption.

      --
      I am Slashdot. Are you Slashdot as well?
    5. Re:TrueCrypt by dinfinity · · Score: 2

      I don't really trust VeraCrypt yet.

      Last time I checked, it was a product of just one French guy who may not even have a very, very solid understanding of cryptography. Even if he's not malicious, his well-intended changes might be making the product worse rather than better.

      I'll reevaluate it at some point in the near future, however.

    6. Re:TrueCrypt by dinfinity · · Score: 2

      Your logic is flawed. Just because something is an assumption doesn't mean it is as unreliable as any other assumption.

      Honestly, do you not see the stupidity of trying to lecture me on a decision that has already proven to be the right one and the irony of doing so in the comments on an article that actually provides that proof?
      WD's products have proven to suck at cryptography and security. TC has not (yet).
      WD makes harddisks. TCs is a product aimed 100% at cryptography and security.

      Lumping them both together and implying they are equally unreliable because I haven't done an audit of the code of TC is retarded. Don't force your point of 'nothing is ever completely secure' into this. We know it isn't, yet we still have to try to choose the best of the imperfect options.

    7. Re:TrueCrypt by OzPeter · · Score: 1

      So when did you come to the realization that WD cryptography is crap? Was it before this report came out? Or are you only jumping on the bandwagon now and post hoc claiming the validity of your decision?

      Prior to this report you'd think that it was a reasonable assumption that a company with a $17B market cap could hire as many cryptography experts as they wanted to work on their products rather than pass it off to the current intern. But no, your decision was not based on any facts but rather an emotional response to your beliefs of the relative merits of each product. That you made a decision that coincidentally bears out your emotional bias against WD does not negate the fact that an assumption is an unknown and you can't know an unknown, and you did trade one unknown for another.

      And in fact you even agree with me when you keep saying that TrueCrypt has not been proven to suck (yet). If you have such faith in TrueCrypt, why do you feel the need to qualify it? Or are you unconsciously admitting that your knowledge about the quality of TrueCrypt is incomplete and you are making an assumption of its fitness of use?

      --
      I am Slashdot. Are you Slashdot as well?
    8. Re:TrueCrypt by dinfinity · · Score: 2

      Was it before this report came out? Or are you only jumping on the bandwagon now and post hoc claiming the validity of your decision?

      No. I made the decision for the reason I mentioned. My experience with most manufacturers doing things that are outside of their core business is that those things tend to suck (badly).

      Prior to this report you'd think that it was a reasonable assumption that a company with a $17B market cap could hire as many cryptography experts as they wanted to work on their products rather than pass it off to the current intern. But no, your decision was not based on any facts but rather an emotional response to your beliefs of the relative merits of each product.

      It is irrelevant how many experts they could hire. It is relevant how many experts they probably would hire. They know fuck-all about cryptography and security and are very probably not going to understand how much time and effort is required to do them right. I also don't believe they care enough about doing it right. It's more of an us-too feature than a USP.

      But no, your decision was not based on any facts but rather an emotional response to your beliefs of the relative merits of each product. That you made a decision that coincidentally bears out your emotional bias against WD does not negate the fact that an assumption is an unknown and you can't know an unknown, and you did trade one unknown for another.

      Fuck you and your strawmen. I already told you that assumptions are not interchangeable (as you imply) and why in this case one assumption specifically is not the other. If you don't have the decency to respond to that, then fuck you.

      If you have such faith in TrueCrypt, why do you feel the need to qualify it? Or are you unconsciously admitting that your knowledge about the quality of TrueCrypt is incomplete and you are making an assumption of its fitness of use?

      And fuck you again. I never said that I have 'such faith in TrueCrypt' and have clearly and repeatedly indicated from the start that I am aware that it is not perfectly trustworthy. So no, I am not 'unconsciously' admitting shit.

      Just accept that you were unjustly talking shit and go away. You're trying to hold on to a very weak and worthless position.

  4. Do not trust firmware or embedded hardware by gweihir · · Score: 4, Interesting

    The researchers managed to break in because of gross design and implementation errors. Even venerable and well-known (and utterly stupid) faults like low-entropy key generation make several appearances, as do possibilities to simply read keys from EEPROM or disk or keys encrypted with a static key and stored on the device itself without the need to do so. The only valid conclusion is that none of the "engineers" involved have any reasonable level of experience and knowledge as to how to implement cryptography right. As a consequence they all fail.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Do not trust firmware or embedded hardware by goarilla · · Score: 1

      I wonder if the same people implement their Enterprise SED schemes.

    2. Re:Do not trust firmware or embedded hardware by gweihir · · Score: 1

      Probably. Nobody is going to analyze these anyways, far too for expensive. And why have a second design team when you already have one that does fine work?

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Do not trust firmware or embedded hardware by fuzzyfuzzyfungus · · Score: 1

      They may or may not have any better people on the job; but 'enterprise' SED usually means 'TCG Opal Compliant', which would require a different implementation than the drives described here. I don't know how well that spec prevents shoddy implementations; but it involves a bunch of standardized interaction between the drive, OS/driver, and TPM; while the 'encryption' here is purely between WD's lousy software and their dodgy little USB/SATA bridge chip.

      I don't know how much better the situation is or isn't; but it's unlikely that they were able to reuse too much.

    4. Re:Do not trust firmware or embedded hardware by swb · · Score: 1

      I would think that encryption at the OS level would be a safer concept anyway. It's closer to where the data is actually used and generated and guarantees that the data is encrypted no matter what device a given system is writing to.

      It's not hard to see situations where an OS is moved to other hardware or backing storage is changed. Relying on encrypted disks providing that suddenly means it's unencrypted.

    5. Re:Do not trust firmware or embedded hardware by GrumpySteen · · Score: 2

      The only valid conclusion is that none of the "engineers" involved have any reasonable level of experience and knowledge as to how to implement cryptography right.

      Hooray for outsourcing engineering to the lowest bidder from India!

    6. Re: Do not trust firmware or embedded hardware by bill_mcgonigle · · Score: 1

      The only valid conclusion is that none of the "engineers" involved have any reasonable level of experience and knowledge as to how to implement cryptography right. As a consequence they all fail.

      Generally speaking, everybody gets crypto wrong. The factors that we can control are how many people are looking at the code and how good is the reputation of the authors.

      Who wrote the WD firmware? A low bidder anonymous tech firm? An intern working on reference demo code?

      Smart people will run LUKS on their drives or Veracrypt (or even Bitlocker) on their drives. If WD were smart they'd just OEM Veracrypt for the "Home Edition" users and ship cheaper drives - only in a synthetic benchmark could this approach be worse than all the others.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    7. Re:Do not trust firmware or embedded hardware by aaaaaaargh! · · Score: 1

      Encryption at the OS level is very insecure, because common operating systems are very insecure.

      But I agree that in the end the difference doesn't matter, since the only secure hardware encryption would be an external drive with independent key entry, i.e. an external drive with its own keypad. Why use a hardware device if a simple keystroke logger is enough to "break the encryption"?

    8. Re:Do not trust firmware or embedded hardware by gweihir · · Score: 1

      It would be different, yes. But if the same clueless people did it, I have no doubt they found ways to screw it up.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    9. Re:Do not trust firmware or embedded hardware by gweihir · · Score: 1

      At the same time, your argument is completely irrelevant as this is only about protecting data-at-rest, i.e. the OS does the encryption, but it is not running at attack time. Unless the OS screws up the encryption itself, it will be secure.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    10. Re:Do not trust firmware or embedded hardware by gweihir · · Score: 1

      Or China. I once was on the phone with a crypto-implementer in China for a very well known US company, and I had to explain basic encryption concepts to him.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    11. Re:Do not trust firmware or embedded hardware by gweihir · · Score: 1

      The NSA is mostly signals intelligence. The attacks here are for physical access to the unplugged device. This does not fit.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    12. Re:Do not trust firmware or embedded hardware by silas_moeckel · · Score: 1

      But I am sure his resume said he had decades of experience and several PHD's in the subject even though he was only 25.

      --
      No sir I dont like it.
  5. Business as usual by UberVegeta · · Score: 2

    "Quoting the abstract should to be enough" Business as usual on /. then.

    --
    I knew I needed to stop reading Slashdot and finish my PhD when I started to miss articles by Bennett Haselton.
  6. Re:American brands by cfalcon · · Score: 1

    Given that all brands are generally manufactured in similar facilities (down to the fact that when there was a tsunami in one specific area, ain't nobody shipping shit for months), why do you think this? Can you link to something?

  7. NopeNopeNopeNope... by Aaden42 · · Score: 2

    From TF-PDF:

    These hard drives comes pre-formatted, pre-encrypted

    So WD by definition knew the AES key the drive was encrypted with. Even if they did everything else perfectly (which they clearly didn't), somebody besides you knew the key. Fail...

  8. Shocking news by JustAnotherOldGuy · · Score: 3, Insightful

    "...several security weaknesses like RAM leakage, weak key attacks and even backdoors on some of these devices, resulting in decrypted user data, without the knowledge of any user credentials."

    I know I'm simply stunned by this hard-to-believe finding.

    It's almost like somebody somewhere intended for the drive to be able to be read in spite of all the super-duper-mega-awesome data protection whatchamacallit stuff.

    Either that or all of the engineers at Western Digital involved in designing this thing are utter morons who have no idea what they're doing.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Shocking news by antdude · · Score: 1

      Most likely "Either that or all of the engineers at Western Digital involved in designing this thing are utter morons who have no idea what they're doing."

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  9. Re:What good are these things? by Solandri · · Score: 1

    Can anyone think of a case where the encryption on these drives is somehow useful to the owner?

    They're used on corporate laptops where sensitive data is stored on the HDD, in case the laptop is lost or stolen. Even if the laptop is protected by a BIOS password and a Windows password, someone can still remove the HDD, connect it to a different computer, and access the data that way. Encrypting the HDD prevents that mode of attack.