Update: In a statement on the extent of the data breach disclosed last month, Western Digital said it has control of its digital certificate infrastructure and is “equipped to revoke certificates as needed.”
“Regarding reports of the potential to fraudulently use digital signing technology allegedly attributed to Western Digital in consumer products, we can confirm that we have control over our digital certificate infrastructure,” the company said. “In the event we need to take precautionary measures to protect customers, we are equipped to revoke certificates as needed. We’d like to remind consumers to always use caution when downloading applications from non-reputable sources on the Internet.”
A massive cyber attack targeting drive maker Western Digital Corp. (WDC) could potentially have serious and long-term implications.
One of the hackers apparently disclosed the extent of the cyber attack to TechCrunch this week. Hackers accessed a range of company assets and stole about 10 terabytes of data, but the disclosure with the greatest potential for damage is that the hackers claim to have the ability to impersonate WDC code-signing certificates.
TechCrunch said the hacker “shared a file that was digitally signed with Western Digital’s code-signing certificate, showing they could now digitally sign files to impersonate Western Digital. Two security researchers also looked at the file and agreed it is signed with the company’s certificate.”
Western Digital isn’t commenting for now, as the company works to contain and determine the extent of the attack, which the company disclosed on April 2.
But depending on what code and data the hackers got access to, the worst-case scenario is that cyber criminals could create malicious firmware — and signed certificates to vouch for its authenticity. That could make malicious activity on any affected hardware difficult to detect and render it essentially worthless.
As one Slashdot commenter put it, “Everyone should assume that firmware on WD drives cannot be trusted at this point.”
While it remains to be seen what the hackers accessed and how they could deliver malicious firmware, one industry observer told eSecurity Planet that the worst-case scenario would mean that WDC “would need a new ASIC and signing infrastructure.”
“This should be a wake up call for every ASIC vendor in the world,” the observer said. “We need WDC to tell us exactly what’s at stake, and quickly.”
In addition to Western Digital’s substantial hard disk drive (HDD) and solid state drive (SSD) market share, the company also owns flash drive maker SanDisk.
Read next: Network Protection: How to Secure a Network
Western Digital statement updates April 14, 2023 article