Your Self-Encrypting Hard Drive May Use Encryption That Really Sucks

Illustration for article titled Your Self-Encrypting Hard Drive May Use Encryption That Really Sucks

Self-encrypting hard drives are a bright idea, allowing you to back up data safe in the knowledge that nobody else can sift through it. Unless, that is, the encryption system is easy to crack — which a new security study had found can be the case.


Motherboard reports that a study sent to the Full Disclosure email list — where researchers post security findings when a company doesn’t seem to care — suggests that Western Digital’s range of My Passport hard drives suffer such a problem. While they’re purported to encrypt data stored upon them, it seems that cracking the encryption scheme is actually pretty easy.

The weakness results from the way the encryption key is generated. Firstly, it uses a simple C command called rand() to generate a random number for use in the encryption scheme. But that command actually produces numbers that are known to not be random enough for use in encryption.

Second, that random number is seeded using a number that is simply the time of creation written out in 32-bit format. Given the time at which the key is generated will definitely have happened between the time of manufacture of the drive and now, that means only a limited number of times have to be tried before the correct key is obtained. In turn, that makes it possible to crack the scheme reactively quickly on a normal desktop PC.

Sadly, that’s the best case. In the worst case, the researchers found that, on some of the My Passport drives, the encryption key required to access the drive is actually stored on the drive. In plain text.

The researchers have contacted Western Digital, but aren’t aware of the company taking any action to solve the problem. Until they do, any My Passport drives are best considered to be unencrypted.


Image by Ruben Vermeersch under Creative Commons license



In other news, the ocean is deep.

I mean, I do understand that this is a pretty huge security flaw, but to be honest, I would’ve never expected anything sold at Best Buy to be NSA-level secure.