Researchers at Radboud University in Holland have published a paper outlining flaws via which they could bypass existing encryption mechanisms and access SSD data without knowing any user passwords. It concludes that widely used data storage devices with self-encrypting tech “do not provide the expected level of data protection”. The researchers tested popular, currently shipping, SSDs from both Crucial and Samsung.
The Dutch researchers found a “pattern of critical issues” in hardware SSD encryption after reverse engineering firmware from multiple SSDs. For example, they found that one of the drive models had a master password than was just an empty string - so encryption could be bypassed by simply hitting enter. Perhaps worse was another drive’s accepting of any password input - as the firmware validation checks weren’t working.
In its tests the following SSDs (internal and external models) were examined for security issues:
- Crucial (Micron) MX100, MX200 and MX300 internal hard disks;
- Samsung T3 and T5 USB external disks;
- Samsung 840 EVO and 850 EVO internal hard disks.
The researchers note that they haven’t tested all available SSDs from Crucial and Samsung but think it is likely that more products are affected by the same vulnerabilities in their firmware. This vulnerability information was responsibly disclosed to both manufacturers and the National Cyber Security Centre (NCSC) of the Netherlands in April 2018.
A related issue highlighted by the Radboud University computer scientists is to do with Microsoft Windows security policies. On other OSes like MacOS, iOS, Android, and Linux users can utilise software-based encryption provided by the OS vendor. Microsoft BitLocker is, however, only available to Professional, Enterprise and Education editions of Windows 10. Furthermore, if BitLocker sees you install a new SSD with hardware encryption, it is by default set to trust and use the hardware facility – which has now been demonstrated to be vulnerable. The researchers therefore recommend the open-source audited VeraCrypt software to such Windows users.
Since the above report went live Samsung and Micron have responded. Samsung is currently advising its users to install encryption software to avoid potential breach, and Micron has said it will issue a firmware update in light of the issues (no release schedule specified).