Security researchers experimenting with inner workings of some of the numerous models in Western Digital's My Passport external hard drive series and discovered serious security vulnerabilities affecting both authentication and confidentiality of user data. The Western Digital My Passport and My Book devices are external hard drive series connecting to host computers using USB 2.0, USB 3.0, Thunderbolt or Firewire, depending on model. Many of the models advertise the benefit of hardware implemented encryption. These hard drives comes pre-formatted, pre-encrypted and are supported by various free software from Western Digital, both for Windows and Mac, to manage and secure the hard disks. Setting a password to protect user-data.

The researchers developed several different attacks to recover user data from these password protected and fully encrypted external hard disks. In addition to this, other security threats were discovered, such as easy modification of firmware and on-board software that is executed on the
users PC, facilitating evil maid and badUSB attack scenarios, logging user credentials and spreading of malicious code.

In some cases they found that the encryption is performed by the chip that bridges the USB and SATA interfaces. In other cases, the encryption is done by the HDD's own SATA controller, with the USB bridge handling only the password validation.

Western Digital has been in a dialog with the independent security researchers regarding their findings for certain models of My Passport hard drives and is currently evaluating their observations, a Western Digital representative said.