Several versions of self-encrypting hard drives from Western Digital are riddled with so many security flaws that attackers with physical access can retrieve the data with little effort, and in some cases, without even knowing the decryption password, a team of academics said.
The paper, titled got HW crypto? On the (in)security of a Self-Encrypting Drive series, recited a litany of weaknesses in the multiple versions of the My Passport and My Book brands of external hard drives. The flaws make it possible for people who steal a vulnerable drive to decrypt its contents, even when they’re locked down with a long, randomly generated password. The devices are designed to self-encrypt all stored data, a feature that saves users the time and expense of using full-disk encryption software.
“After researching the inner workings of some of the numerous models in the My Passport external hard drive series, several serious security vulnerabilities have been discovered, affecting both authentication and confidentiality of user data,” the researchers wrote. “We developed several different attacks to recover user data from these password protected and fully encrypted external hard disks.”