Vulnerability researchers claim Western Digital’s “self-encrypting” My Passport hard drive is plagued by serious security vulnerabilities that allow an attacker trivial access to data stored on its products. The details were included in a paper dated 28 September, and posted to websites where vulnerability researchers post their findings if the affected company is not being cooperative.
The vulnerability comes from a multitude of errors Western Digital ran into when designing their method of encryption. The My Passport drives allow a user to set a password in order to use them, which is then protected by an encryption key. Western Digital creates the password using the C rand() function, which is known not to be cryptographically secure. This simple command for creating random numbers is not up to the task of producing a suitably strong key for keeping data secure. On top of that some models simply store the password on the hard drive. That means an attacker wouldn’t even need your password to break into the device.
“An attacker who steals your drive can guess the key in a short time using a single PC,” said the assistant professor at Johns Hopkins University. Cyber security is becoming more and more important as the Internet of Things becomes more developed. Now by gaining access into a network, hackers can control things like cars driving on the road, factories in automated production, and have access to large amounts of data. Without advanced security, like encryption, a lot can go wrong in a system.