A popular brand of self-encrypting external hard drives contains serious security vulnerabilities permitting attackers easy access to the data it stores.
The external hard drives are designed to automatically encrypt all stored data, saving users the time and effort required for full-disk encryption.
However, researchers Gunnar Alendal and Christian Kison discovered “backdoors on some of these devices, resulting in decrypted user data, without the knowledge of any user credentials”, which are detailed in a paper published at the end of September.
They said: “Several serious security vulnerabilities have been discovered, affecting both authentication and confidentiality of user data.”
The device that has come under scrutiny, Western Digital’s My Passport drive, allows users to set a password before using them.
Theoretically, this would bar anyone who steals the physical device from accessing the information stored on it.
But Alendal and Kison found that some models stored passwords on the drives themselves, eliminating need for hacker to have a password to access device in the first place.
In another case, they said that it was possible to extract the drive’s hash and load it on to a computer for offline cracking.
The research pair even found a flaw where they were able to predict the underlying security key because it based its random number generation from the current time on the computer clock – although this vulnerability was addressed last year.
Alendal and Kison demonstrated that Western Digital had used cryptographic keys known to be insecure, such as the Rand() command which produces a pseudo-random number.
A Western Digital spokesperson told Ars Technica that the company “has been in a dialogue with independent security researchers relating to their security observations in certain models of our My Passport hard drives.”
The spokesperson added that the firm will “continue to evaluate the observations”, but would not answer directly whether the company intended to issue a patch. They also did not say how such a patch would reach all of its affected customers.
More details of the security flaws can be found in Alendal and Kison’s paper.