My Passport self-encrypting hard drives, easily hacked

Vulnerability researchers claim Western Digital’s “self-encrypting” My Passport hard drive is plagued by serious security vulnerabilities that allow an attacker trivial access to data stored on its products. The details were included in a paper dated 28 September, and posted to websites where vulnerability researchers post their findings if the affected company is not being cooperative.

The vulnerability comes from a multitude of errors Western Digital ran into when designing their method of encryption. The My Passport drives allow a user to set a password in order to use them, which is then protected by an encryption key. Western Digital creates the password using the C rand() function, which is known not to be cryptographically secure. This simple command for creating random numbers is not up to the task of producing a suitably strong key for keeping data secure. On top of that some models simply store the password on the hard drive. That means an attacker wouldn’t even need your password to break into the device.

“An attacker who steals your drive can guess the key in a short time using a single PC,” said the assistant professor at Johns Hopkins University. Cyber security is becoming more and more important as the Internet of Things becomes more developed. Now by gaining access into a network, hackers can control things like cars driving on the road, factories in automated production, and have access to large amounts of data. Without advanced security, like encryption, a lot can go wrong in a system.

5 thoughts on “My Passport self-encrypting hard drives, easily hacked

  1. This was very interesting to read and a bit worrisome. I actually own a “my passport” hard drive and had no idea this was a recurring issue! Like one of the commenters, my hard drive holds many family pictures and travel photography, so if those were ever taken or deleted, I would be upset (upset wouldn’t even be the word). Hopefully, Western Digital will publicly acknowledge the encryption issues and do a software change. I’m not registered to a WD account or anything, but a mass alert email or product recall seems to be necessary when something like this could intervene in thousands of regular hard drive user’s lives.

  2. Like many of the other poster I too have a Western Digital passport. Although I do not have too much personal information on there I still would not like people taking my things without my permission. Hopefully the company will either recall their previous hard drives or at least make change to the new ones coming out. With a memory becoming increasingly cheaper more people can afford these external hard drives, making more information stored, creating more information that could be stolen. I hope that companies like western digital will create and keep in mind of new security for new drives.

  3. Like a previous comment, I also find this interesting as I have a WD My Passport external hard drive. It is disconcerting that if someone were to steal it or if I were to misplace it that someone could easily bypass the security features.

    What I’m more concerned about than the WD product itself is other products that hold important information that are easy to hack. With these external hard drives keeping them safe from hackers is as easy as being aware of where the external hard drive is and not losing it. Which I understand is sometimes easier said than done. But a breach of security on a device that holds data which would be more alarming would be the cloud. There is so much data stored in the cloud and the hacker does not need access to the hardware to hack it.

  4. This is extremely alarming, especially because WD is the largest HDD manufacturer, and now with their recent purchase of SanDisk they will begin selling SSDs. It makes you wonder what other drives they have might have security issues if they were able to overlook this one. With so many drives on the market produced by WD, millions of devices could potentially be hacked. Hopefully this issue is addressed. Luckily, this problem does not allow the drives to get hacked remotely and still requires that you have the drive. This decreases the chance of anyone’s data being stolen, but virtually destroys the purpose of encryption.

    I’d like to see how this effects WD monetarily considering their recent purchase of SanDisk two days ago. This purchase is a huge step in the right direction for WD, but they can tarnish their reputation if there are more in their products that haven’t come to light yet.

  5. I find this Issue particularly interesting because i have multiple Western Digital hard drives with lots of personal information on them. I would be very upset if there was a security breach because I have lots of photography that has lots sentimental value and would be very upset if my pictures were sold without my knowing. This not only has a personal impact but if business and schools frequently use these hard drive their sensitive information could also be compromised and Western Digital could have some interesting customer service issues and maybe even law suits. This issue needs to be addressed promptly and customers need to now that their information is not safe so that they can take the necessary steps to protect it.

Leave a Reply