Thursday, October 22, 2015

Hard drive encryption broken - HIPAA implications?

The Problem
Three researchers identified serious vulnerabilities in Western Digital hard drives using digital encryption.  Many of our clients, particularly those in health care, enforce the use hardware encrypted drives to ensure the protection of regulated data such as PHI.  At Rendition Infosec, we think this research has HIPAA, PCI, and other regulated data implications.

If you are interested in the full gory details you should read the paper (probably with the help of a mathematician).  But some of the encryption faux pas are laughable.  The paper is available here and slides are available here.

Holy 40 bit encryption bat man!
In one case, the developers seed the encryption algorithm with a hardware random number generator.  But it turns out the random number generator isn't so random after all. It just cycles through 255 random 32 bit values.  Forget about worrying whether you have 512, 1024, or 2048 bit encryption.  Try 8 bit on for size. Other variations are added into the algorithm so we really have a 40 bit key, but now we're in the area of WEP and less than DES, both critically broken given today's computing power.  Note that even if this method had worked perfectly, the output would have been a 64 bit key, which seems arbitrarily small.

Someone tell Jimmy the date of manufacture isn't random at all
Another model uses the manufacture date and time as a seed to generate the key.  This is nowhere near random and many models have the manufacture date printed on the case of the hard drive.  Super fail.

Several additional attacks are presented in the paper - read up on them if you are interested.  The point is that mickey mouse apparently built the encryption.  But what's the impact to your business?

Business Impact 
Business impact is where the rubber meets the road.  If you've been relying on hardware encryption to protect confidential and/or regulated data, you should probably re-evaluate the decision.  Many of our clients like hardware encrypted drives, particularly for use with slower machines, because it uses CPU cycles on the drive controller, not your laptop/desktop. Don't think this problem is unique to WD.  We would be remiss to think that WD is the only vendor to have these issues.

You should also scan for the known vulnerable drives in your environment.  Don't trust purchasing records.  I can't stress this enough - don't simply scan purchasing records and say "we didn't buy any of these drives through purchasing, therefore there are none in the environment."  At Rendition Infosec, we find additional "off books" hardware during practically every assessment.  Hardware inventory is hard - it's even harder when the hardware is a peripheral.  If you don't have a solution in place to scan for these drives, contact me and I'll be happy to help you.

Finally, review your lost hardware (at least that which was reported).  Were any of your lost drives containing regulated data one of the impacted models?  Did you issue a breach notification?  Probably not if the drive was encrypted.  But given that the drives are now known to be trivial to decrypt, you may need to reconsider your breach notification decision.  I am not a lawyer, but you should talk to internal counsel.

1 comment:

Note: Only a member of this blog may post a comment.