Encrypted external hard disk drives littered with security flaws

Western Digital fingered by researchers for less-than-secure encrypted hard disk drives

Consumer-grade external hard-disk drives that claim to encrypt data are littered with security flaws, according to a recently released academic paper.

It examined two popular Western Digital external hard disk drives, the "My Passport" and the "My Book" devices, which can be bought at PC World or Maplin.

These hard drives come pre-formatted, pre-encrypted and are supported by various free software from Western Digital, both for Windows and Mac, to manage and secure the hard disks.

"After researching the inner workings of some of the numerous models in the My Passport external hard drive series, several serious security vulnerabilities have been discovered, affecting both authentication and confidentiality of user data," warn the researchers.

They continue: "We developed several different attacks to recover user data from these password protected and fully encrypted external hard disks. In addition to this, other security threats were discovered, such as easy modification of firmware and on-board software that is executed on the users PC, facilitating 'evil maid' and 'badUSB' attack scenarios, logging user credentials and spreading of malicious code."

One particular weakness common to all the Western Digital products the researchers analysed was the firmware updater.

"The firmware update of the bridges and the emulated CD-ROM is done by undocumented vendor-specific SCSI commands, that is executable post-authentication. The firmware and virtual CD are not digital signed or cryptographically secured from tampering and modification. Both evil maid and badUSB attack scenarios are possible.

"In addition, the virtual-CD (VCD) executable requires administrative privileges on Windows, so a modified VCD has full access to any host computer starting executables from it. The firmware can be modified to log the user-password or spread malware."

"Evil Maid" describes attacks that can be made where an unattended laptop or laptop confiscated by airport security could be cracked. BadUSB attacks refer to attacks using security weaknesses in the USB bridge