Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: WD hard drive encryption is useless. Totally useless [The Register]  (Read 4561 times)

AArdvark

  • Kitizen
  • ****
  • Posts: 1008

http://www.theregister.co.uk/2015/10/20/western_digital_bad_hard_drive_encryption
Quote
The encryption systems used in Western Digital's portable hard drives are pretty pointless, according to new research. It appears anyone getting hold of the vulnerable devices can easily decrypt them.

WD's My Passport boxes automatically encrypt data as it is written to disk and decrypt the data as it is read back to the computer. The devices use 256-bit AES encryption, and can be password-protected: giving the correct password enables the data to be successfully accessed.

For information, in case anyone thinks the encryption is better than it is. :)
Logged

guest

  • Guest
Re: WD hard drive encryption is useless. Totally useless [The Register]
« Reply #1 on: October 23, 2015, 01:29:07 PM »

I find stuff like this very depressing as it just reinforces the feeling that pretty much nothing does what it says on the tin :(

I actually have a couple & they're very nice drives - I use whole-disk encryption which doesn't utilise their "h/w encryption" nonsense. I call it nonsense because any Intel cpu within the last 4 years has much faster AES acceleration so the bottleneck (in theory) is the USB3 connection.

If you're not worried about their dodgy encryption then I've seen the drives working at 110MB/s which seems fairly reasonable for a sealed-unit USB3 2TB spinner. As is always the case YMMV where the data is concerned.

Oh & I rather suspect there's another way to compromise the WD Security stuff but you'd have to pull the disk from the case (not that hard) to make it work. Basically if you setup their encryption then there's an offer to "Auto-unlock for this (Windows) user" and that applies the password automatically when you login/plugin the drive. I think that, were you to present the drive on a SATA interface ie just the drive, not the USB3 i/f then it'd probably unlock on any machine with the same username, which its not supposed to do ;)

Encryption by feckwits rarely works....

tl;dr use some decent crypto s/w, drive performance is great, never set the Backup tool to continuous.
Logged

AArdvark

  • Kitizen
  • ****
  • Posts: 1008
Re: WD hard drive encryption is useless. Totally useless [The Register]
« Reply #2 on: October 23, 2015, 05:37:28 PM »

I find stuff like this very depressing as it just reinforces the feeling that pretty much nothing does what it says on the tin :(

I know what you mean.
I wonder how these products get made.
The marketing people create a great pitch for a product which appears to be 'cobbled' together by people who are not rigorous enough in thinking through all the possible workarounds and hacks.
As alluded to in the comments on the article, it would be sufficient to hide data from average users but anyone who might be after your data is more than likely NOT an average user.
The issue for me is that it adds to the erosion of trust in any products/methods that claim to be secure.
I am not an encryption expert, so I, like many, have to trust claims from manufacturers when I purchase kit.
I cannot afford, in all senses, to find out the hard way that my security is just a false impression based on marketing campaigns.

You get the impression more and more that the conversation was more like 'Security is making the News all the time. We need a secure product range to sell, Yesterday !! ..... Quick hack something together so we don't miss the opportunity. Don't worry about testing it too much we don't have the time.'
I hate being treated as a mug by Companies & Sales people.  >:( >:(
Logged

guest

  • Guest
Re: WD hard drive encryption is useless. Totally useless [The Register]
« Reply #3 on: October 23, 2015, 09:29:33 PM »

I find stuff like this very depressing as it just reinforces the feeling that pretty much nothing does what it says on the tin :(
I wonder how these products get made.

They get made because very very VERY few people actually understand cryptography. Your average h/w engineer won't have a clue, nor will your average s/w engineer. That's how you end up with dumb design decisions like this totally compromising security.

As an aside to anyone who has a "smart meter" in the UK - chances are your meter is controlled by a 96-bit key*. To put that in perspective that's less secure than a 1990's-era wireless access point - or even the export versions of US crypto at the time. Even the new "super-duper can't break this" encryption is only AES128 - again much less secure than pretty much anything wireless you could buy in the last 10 years & you wouldn't be permitted to access your internet banking with AES128. Perfectly OK for millions of homes gas/electricity though - not as if anyone is ever going to consider playing silly buggers with that mmm?

Ignorance & profit rather than tinfoil hats :)

*outwith the scope here but worth noting that the MAC digest is so broken that it requires as few as FOUR queries to recover that 96-bit key.
« Last Edit: October 23, 2015, 09:32:39 PM by rizla »
Logged

AArdvark

  • Kitizen
  • ****
  • Posts: 1008
Re: WD hard drive encryption is useless. Totally useless [The Register]
« Reply #4 on: October 23, 2015, 11:46:57 PM »

Quote
They get made because very very VERY few people actually understand cryptography. Your average h/w engineer won't have a clue, nor will your average s/w engineer. That's how you end up with dumb design decisions like this totally compromising security.

True but WD is not a little 1 man & his dog company!
They already work with Encryption with other Enterprise products.
The requirements are not burdensome in any way, they just need to be thought through correctly.
WD can create encryption that works if they want to but I believe the effort made was as minimal as they could get away with.
Make a product down to a price and shout 'Secure' to gain more sales.


 
Logged