===>

chimbwara.com

Pages

  • Home

Friday, 23 October 2015

Western Digital to buy SanDisk, experts eviscerate WD’s encrypted hard drives





There’s two major pieces of news out today by about Western Digital, the hard drive manufacturer and storage giant. First up, the company has announced it intends to purchase SanDisk, a major manufacturer of NAND flash and memory cards, for roughly $19 billion dollars. That’s a 15% premium over SanDisk’s current stock price. The company has reportedly been shopping for a buyer — its growth has lagged expectations in recent years.

WDMPUIt’s probably a smart move for Western Digital, which has similarly been facing the inevitable decline of its hard drive business.

 I don’t expect HDDs to vanish any time soon — the cost / performance curve is simply too sexy for low-margin vendors like Dell and HP to resist, and SSDs that can match HDD storage remain far too expensive to be directly comparable. 6TB drives can be had for $220, or roughly 3.6 cents per GB, while the 850 Evo 2TB version is currently $750. While that’s an enormous improvement over prices from years ago, there’s still a 10x cost gap between HDDs and SSDs.


The threat to Western Digital and other manufacturers, however, is that SSDs could drive down sales of enterprise drives, which typically sell for far more cash and are far more lucrative than bottom-end consumer hardware. Snapping up SanDisk gives WD much-needed expertise in bringing NAND products to market and should help the company’s efforts to position itself as a premiere storage provider from consumer hardware to enterprise divisions.

WD encryption standards incredibly flawed

Over the past few years, full-disk encryption has become an increasingly popular way of securing user data. Western Digital manufacturers a line of supposedly secure hard drives meant to aid in this endeavor, but a new report indicates that these drives are incredibly flawed, with numerous security bugs. Oftentimes these reports focus on a single flaw or line of attack, but that’s not the case here.
All of the Western Digital My Passport drives use a common architecture, as shown below:
Encryption1
The researchers found that WD has used a wide range of USB bridges, including parts manufactured by JMicron, Symwave, Initio, and PLX. AES encryption is supported either by the USB bridges or by the SATA controller itself, though versions of the drive apparently didn’t offer hardware AES at all.
MyPassport
Passport drives that use the USB bridge for encryption rely on either AES-128 or AES-256 to create an encryption key. The researchers refer to this as the DEK (Data Encryption Key). The DEK is set at the factory (all of the drives tested used a 256-bit DEK). The user is then allowed to set an individual password, called the KEK. The factory-set DEK is itself protected by a static hash value, common to all WD Passport drives, called the KEK8. The KEK8 is hard-coded into the firmware of every drive. once you’ve cracked one WD Passport, you’ve cracked the DEK on every Passport. The diagram below shows the authentication process.
Encryption
The encryption mechanism
In cryptography, “salting” a password means adding an additional string of information to the original password to make it less vulnerable to dictionary attacks. If the user chooses a password like “abc12345,” but the system salts it by adding #$X,J, the final hash value will be computed for “#$X,J,abc12345.” Salting passwords isn’t bulletproof, but it makes entire groups of passwords more difficult to crack — if the salt is done correctly.
Unfortunately, Western Digital appears to have salted their entire Passport line using a constant, hard-coded, three-digit salt — “WDC.” It can’t be changed, under any circumstances.

Hit the DEK

The research team refers to the DEK as the holy grail. An attacker who gains access to the DEK can bypass the USB bridge and read the raw data off the drive manually. This requires modifying the drive, but we’ve seen enough reports on the NSA’s capabilities in the post-Snowden era to know that this kind of intervention does occur, at least occasionally. Researchers noted that some of the critical infrastructure required to make the necessary physical modifications to the drive is exposed on the HDD PCB itself. This allowed them to locate where backup copies of the encrypted DEK were kept and retrieve them. Once the DEK has been copied from the drive, it can be brute-forced off-site (possibly with considerably more-advanced computing hardware).
The paper goes on to describe the various attacks made against each of the drive controllers and models previously listed. Not every weakness is present in every controller, but every device tested had enormous security flaws that made it trivial to retrieve critical data or install so-called “evil maid” attacks. Some drives could be modified to launch attacks against new targets via malware embedded into the firmware of the drive itself. There’s also evidence that the Random Number Generator used in the Jmicron models isn’t actually random at all (that’s another enormous red flag).
One controller, the Symwave 6316, actually saves the KEK with a hardcoded encryption sequence and stores it on the drive itself. Since the KEK is used to unlock the DEK, and unlocking the DEK gives you access to every bit of data on the drive, this is like locking your house and then hanging the key right next to the door. The PLX chip contains its own backdoor problem and actually leaks the encrypted DEK directly from RAM to the host system. Western Digital’s method of updating the firmware on the drives is also vulnerable to attack.

Don’t buy a Passport for security

If you want a secure hard drive, don’t buy a WD Passport. Some of these problems might be fixed with firmware updates, but there are multiple enormous security flaws embedded in multiple controllers and firmware. WD might be able to close some of the most egregious leaks, but it’s unlikely that the drives can be fully patched and secured. It’s not clear how many of these problems affect other vendors, and using an additional security program, like VeraCrypt, might avoid some of them — but the entire point of buying an encrypting hard drive is supposed to be that these functions are handled in hardware and don’t necessitate additional software (or the overhead associated with the same).
at October 23, 2015
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest

No comments:

Post a Comment

Newer Post Older Post Home
Subscribe to: Post Comments (Atom)

Connect With Chimbwara

34.2k likes

Like

28.6k followers

Follow

8.6k subscribers

Subscribe

17.3k followers

+1

Menu

  • Fashion
  • Culture
  • News
  • _Africa
  • _Europe
  • _Asia
  • _Amerca
  • _North Amerca
  • _South Amerca
  • _Australia
  • Technology
  • _Computer
  • _Cars
  • _Internet
  • Gossip
  • Download

Socialize

  • facebook count=3.5k;
  • twitter count=1.7k;
  • gplus count=735;
  • youtube count=2.8k;
  • pinterest count=524;
  • instagram count=849;

Social Media Icons

  • facebook
  • twitter
  • gplus
  • pinterest
  • bloglovin
  • dribbble
  • rss
  • behance
  • instagram
  • delicious

Author Details

Edward Nyang'ali is a young Entrepreneur running a number of sites from his living room. He is an experienced SEO Consultant, Computer Engineer, Professional Blogger & an addicted Web Developer. He runs Chimbwara Company which offers Web Services, and Online Business Solutions to clients around the globe. Chimbwara Company was founded in 2008 and is currently the Country's First Registered company of Professional Bloggers. The company has introduced several new faces online and continues to motivate teenagers in Schools, colleges and Universities through workshops and seminars.

Popular Posts

  • Trump, Netanyahu Align on Tough Iran Stance Before Talks
    As President Donald Trump prepares for his first meeting with Israeli Prime Minister Benjamin Netanyahu since entering the White House, ...
  • Blogger turns tables on cyber-scammer
    The scareware message told Mr Kwiatkowski to call technical support A French security researcher s...
Simple theme. Powered by Blogger.