Western Digital to buy SanDisk, experts eviscerate WD’s encrypted hard drives

By Joel Hruska 

There’s two major pieces of news out today by about Western Digital, the hard drive manufacturer and storage giant. First up, the company has announced it intends to purchase SanDisk, a major manufacturer of NAND flash and memory cards, for roughly $19 billion dollars. That’s a 15% premium over SanDisk’s current stock price. The company has reportedly been shopping for a buyer — its growth has lagged expectations in recent years.

It’s probably a smart move for Western Digital, which has similarly been facing the inevitable decline of its hard drive business. I don’t expect HDDs to vanish any time soon — the cost / performance curve is simply too sexy for low-margin vendors like Dell and HP to resist, and SSDs that can match HDD storage remain far too expensive to be directly comparable. 6TB drives can be had for $220, or roughly 3.6 cents per GB, while the 850 Evo 2TB version is currently $750. While that’s an enormous improvement over prices from years ago, there’s still a 10x cost gap between HDDs and SSDs.

The threat to Western Digital and other manufacturers, however, is that SSDs could drive down sales of enterprise drives, which typically sell for far more cash and are far more lucrative than bottom-end consumer hardware. Snapping up SanDisk gives WD much-needed expertise in bringing NAND products to market and should help the company’s efforts to position itself as a premiere storage provider from consumer hardware to enterprise divisions.

WD encryption standards incredibly flawed

Over the past few years, full-disk encryption has become an increasingly popular way of securing user data. Western Digital manufacturers a line of supposedly secure hard drives meant to aid in this endeavor, but a new report indicates that these drives are incredibly flawed, with numerous security bugs. Oftentimes these reports focus on a single flaw or line of attack, but that’s not the case here.

All of the Western Digital My Passport drives use a common architecture, as shown below:

The researchers found that WD has used a wide range of USB bridges, including parts manufactured by JMicron, Symwave, Initio, and PLX. AES encryption is supported either by the USB bridges or by the SATA controller itself, though versions of the drive apparently didn’t offer hardware AES at all.

Passport drives that use the USB bridge for encryption rely on either AES-128 or AES-256 to create an encryption key. The researchers refer to this as the DEK (Data Encryption Key). The DEK is set at the factory (all of the drives tested used a 256-bit DEK). The user is then allowed to set an individual password, called the KEK. The factory-set DEK is itself protected by a static hash value, common to all WD Passport drives, called the KEK₈. The KEK₈ is hard-coded into the firmware of every drive. once you’ve cracked one WD Passport, you’ve cracked the DEK on every Passport. The diagram below shows the authentication process.

The encryption mechanism

In cryptography, “salting” a password means adding an additional string of information to the original password to make it less vulnerable to dictionary attacks. If the user chooses a password like “abc12345,” but the system salts it by adding #$X,J, the final hash value will be computed for “#$X,J,abc12345.” Salting passwords isn’t bulletproof, but it makes entire groups of passwords more difficult to crack — if the salt is done correctly.

Unfortunately, Western Digital appears to have salted their entire Passport line using a constant, hard-coded, three-digit salt — “WDC.” It can’t be changed, under any circumstances.

Hit the DEK

The research team refers to the DEK as the holy grail. An attacker who gains access to the DEK can bypass the USB bridge and read the raw data off the drive manually. This requires modifying the drive, but we’ve seen enough reports on the NSA’s capabilities in the post-Snowden era to know that this kind of intervention does occur, at least occasionally. Researchers noted that some of the critical infrastructure required to make the necessary physical modifications to the drive is exposed on the HDD PCB itself. This allowed them to locate where backup copies of the encrypted DEK were kept and retrieve them. Once the DEK has been copied from the drive, it can be brute-forced off-site (possibly with considerably more-advanced computing hardware).

The paper goes on to describe the various attacks made against each of the drive controllers and models previously listed. Not every weakness is present in every controller, but every device tested had enormous security flaws that made it trivial to retrieve critical data or install so-called “evil maid” attacks. Some drives could be modified to launch attacks against new targets via malware embedded into the firmware of the drive itself. There’s also evidence that the Random Number Generator used in the Jmicron models isn’t actually random at all (that’s another enormous red flag).

One controller, the Symwave 6316, actually saves the KEK with a hardcoded encryption sequence and stores it on the drive itself. Since the KEK is used to unlock the DEK, and unlocking the DEK gives you access to every bit of data on the drive, this is like locking your house and then hanging the key right next to the door. The PLX chip contains its own backdoor problem and actually leaks the encrypted DEK directly from RAM to the host system. Western Digital’s method of updating the firmware on the drives is also vulnerable to attack.

Don’t buy a Passport for security

If you want a secure hard drive, don’t buy a WD Passport. Some of these problems might be fixed with firmware updates, but there are multiple enormous security flaws embedded in multiple controllers and firmware. WD might be able to close some of the most egregious leaks, but it’s unlikely that the drives can be fully patched and secured. It’s not clear how many of these problems affect other vendors, and using an additional security program, like VeraCrypt, might avoid some of them — but the entire point of buying an encrypting hard drive is supposed to be that these functions are handled in hardware and don’t necessitate additional software (or the overhead associated with the same).