A logic error in the ArmorLock iOS and macOS client applications led to an incorrect determination that devices which lack biometric hardware also lack Secure Enclave hardware. In this scenario, key material is placed in the software-backed Keychain instead of the more secure hardware-backed Secure Enclave.
The vulnerability was addressed by correctly identifying the presence of the Secure Enclave and using it when generating key material. Existing key material that was stored within the Keychain is removed and one of two actions are performed depending on context. Either the key material is re-generated within the Secure Enclave; or it is encrypted with a new key generated within the Secure Enclave.
Western Digital periodically retains the services of third-party firms to audit and test the security of our products. This issue was discovered during a scheduled assessment performed by the security firm Trail of Bits. In order to provide transparency to our customers, we have elected to make the audit and remediation report for this issue available to the public.