Recently, there was a paper published about Western Digital’s (WD) My Passport series of Hard Drives.
Anyways, if you read the full report, it is a great summary of the various points of vulnerability that the drive has. Basically, you cannot rely on the drive very well to keep you data secure.
Ars Technica has a great summary post of the article if you are interested, and with their own analysis.
To begin with, I would like to know if this is an anomaly or if this is more widespread. I suspect though that most untested encryption meant for consumer (and likely many enterprise devices as well) are full of holes. Barring independent testing from a wide variety of storage media though, there is no easy way to test, but this small sample size is certainly not very encouraging.
The paper is disturbing especially because of the nature of the errors made. We are not talking about some highly complex, highly technical errors being made here (they used the Rand() function, as an example). I suspect that the encryption may be more marketing by WD than anything else. More dangerously, I would worry that it could put buyers into a false sense of security. Your data is actually not safe.
What is the lesson? If you buy a consumer or enterprise hard drive, I would not make the assumption that your data is security just because it has encryption. In this day and age, even what are considered the top industry experts occasionally make mistakes in their Transport Layer Security (TLS) implementations. There have been some high profile security flaws found in the past few years.
In terms of safety, I’d assume for physical theft:
- Phones probably rank at the bottom in terms of security
- After that is hard drives like the WD My Passport that people carry, along with NAND based USB drives
- Laptops probably rank after that
- Desktops and servers (it’s much harder to steal a full-sized tower or a large server)
The question is, should you be worried? If you have something sensitive, I’d say this one is a no-brainer, but be sure you have backups of the encrypted data and of course, encrypt the data. But what about the average user? That I’m having mixed feelings on. That said, you don’t have a choice when you lose you data – if you did, the answer of course be never!
I’m actually looking into this in my spare time. There are companies that sell solutions (an example is Positive E Solutions), but they are probably too expensive for the average consumer. Something like VeraCrypt (which is free) seems like the best option.
This will be expanded in a later post. In the comments, I’d like to hear your thoughts about the lack of security and if there are any free tools that you use for hard drive encryption. Equally interesting to me would be to hear about what you use for your smartphone.