Poor encryption on WD “My PassPort” drives

In a paper dated back to September 28, and included in the “Full Disclosure” email list from security advisers this week, it seems that “My PassPort” drives from Western Digital are not very secure at all.  According to Matthew Green, assistant professor at Johns Hopkins University, Western Digital uses the C rand () function to generate a psuedo random number used in the encryption of the drive and this function is already known to be insecure.  The WD drives also record the time of encryption in 32bit format. “That means instead of requiring billions of years to crack, an attacker who steals your drive can guess the key in a short time using a single PC,” according to Professor Green.

Western digital my passport logo

The researchers also discovered some backdoors on the drives, which would allow decryption of user data without ever using the original owner’s credentials.  Some models store the passwords chosen by the user on the drive itself, which just compounds the security problems.

Western Digital has responded with typical boilerplate, thanking the researchers for their  efforts to find issues in their security, but have not released any patches nor will they even confirm that the company would address the problem for existing users.  We can only hope that the drives are not being used in any critical areas, which require strong encryption of data.

You can read more on the story at Motherboard.Vice.com.