A group of security researchers figured it'd be fun to see how well self-encrypting external hard drives protect data, and their findings may surprise owners of these devices. Gunnar Alendal, Christian Kison and "modg" took a few stabs at breaking into portable drives from Western Digital's My Passport and My Book series. Shockingly, the researchers were able to gain full access to user data in many ways. The team tested models manufactured as recently as 2013, and they say the drives tested remain unpatched.
Most of the tested drives use a USB-to-SATA bridge chip from a third-party manufacturer (JMicron, Initio, and Symwave, to name three) that can also handle encryption duties. The team found, in colloquial terms, a Kardashian butt-load of vulnerabilities that present attackers with a multitude of vectors to reach user data.
The vulnerabilities range from easy brute-force attacks on encryption keys, thanks to poorly implemented random number generators; firmware protections that can easily be bypassed or flashed out; fixed encryption key salts; RAM data leakage; and even backdoors. In some cases, the team was able to obtain the encryption keys right off the hard drives themselves, as they're often tucked away in a set of "hidden" sectors. Adding insult to injury, WD didn't cryptographically sign its drives' firmware, opening yet another avenue for attack.
Although the security eggheads focused their work on Western Digital's older drives, it's not difficult to imagine that drives from other manufacturers are equally vulnerable, since the protection methods and third-party chips are likely to be similar. It should be noted that newer drives leave the encryption in the hands of the hard drives' SATA controller, which could close off some of the routes of attack the researchers found in these tests.
|Intel unveils purpose-built Neural Network Processor for deep learning||12|
|Razer's Blade Stealth and Core V2 step to the cutting edge||8|
|Wear Something Gaudy Day Shortbread||11|
|Astro Gaming A20 rockets to 5.8 GHz for clearer connections||0|
|Asus teases ROG Strix X370I mobo for spiffy Mini-ITX Ryzen builds||11|
|NZXT's H700i, H400i, and H200i cases have their heads in the clouds||14|
|ASRock X299E-ITX/ac stuffs Core i9s into mini-ITX systems||28|
|Surface Book 2 flies higher with eighth-gen Core and Pascal||31|
|Rumor: Samsung 970 and 980 NVMe SSDs could be on the way||40|
|That's a lot of dongs.||+19|