Researchers find “pattern of critical issues” in SSD encryption

by Mark Tyson on 6 November 2018, 11:01

Tags: Samsung (005935.KS), Crucial Technology (NASDAQ:MU), Micron (NASDAQ:MU)

Quick Link: HEXUS.net/qadzcs

Add to My Vault: x

Researchers at Radboud University in Holland have published a paper outlining flaws via which they could bypass existing encryption mechanisms and access SSD data without knowing any user passwords. It concludes that widely used data storage devices with self-encrypting tech “do not provide the expected level of data protection”. The researchers tested popular, currently shipping, SSDs from both Crucial and Samsung.

The Dutch researchers found a “pattern of critical issues” in hardware SSD encryption after reverse engineering firmware from multiple SSDs. For example, they found that one of the drive models had a master password than was just an empty string - so encryption could be bypassed by simply hitting enter. Perhaps worse was another drive’s accepting of any password input - as the firmware validation checks weren’t working.

In its tests the following SSDs (internal and external models) were examined for security issues:

  • Crucial (Micron) MX100, MX200 and MX300 internal hard disks;
  • Samsung T3 and T5 USB external disks;
  • Samsung 840 EVO and 850 EVO internal hard disks.

The researchers note that they haven’t tested all available SSDs from Crucial and Samsung but think it is likely that more products are affected by the same vulnerabilities in their firmware. This vulnerability information was responsibly disclosed to both manufacturers and the National Cyber Security Centre (NCSC) of the Netherlands in April 2018.

A related issue highlighted by the Radboud University computer scientists is to do with Microsoft Windows security policies. On other OSes like MacOS, iOS, Android, and Linux users can utilise software-based encryption provided by the OS vendor. Microsoft BitLocker is, however, only available to Professional, Enterprise and Education editions of Windows 10. Furthermore, if BitLocker sees you install a new SSD with hardware encryption, it is by default set to trust and use the hardware facility – which has now been demonstrated to be vulnerable. The researchers therefore recommend the open-source audited VeraCrypt software to such Windows users.

Since the above report went live Samsung and Micron have responded. Samsung is currently advising its users to install encryption software to avoid potential breach, and Micron has said it will issue a firmware update in light of the issues (no release schedule specified).



HEXUS Forums :: 10 Comments

Login with Forum Account

Don't have an account? Register today!
Whelp, that's 90% of mainstream disk encryption in businesses skagged.

If there's a data breach due to a lost device and they have to infor the EU ICO then they cannot guarantee the security of the data at rest because of this flaw.

If this affects the majority of SSDs then we have just witnessed disk encryption just get wiped out if the system reverts to hardware encryption over software…
I've honestly never seen anyone use this encryption. If people care, then the specific data they care about is encrypted in other ways with something like smartcard key management. Payment systems aren't even allowed to have the decrypt key on the same box as the data at rest.
DanceswithUnix
I've honestly never seen anyone use this encryption. If people care, then the specific data they care about is encrypted in other ways with something like smartcard key management. Payment systems aren't even allowed to have the decrypt key on the same box as the data at rest.

The problem is a lot of organisations rely on Bitlocker and Hexus haven't noted this properly that Bitlocker relies on it if it is available for SSDs:

Unfortunately, the pair also note that some popular data encryption systems, including the BitLocker tool Microsoft uses in Windows 10, do not use software encryption for SSDs and rely on the drive's vulnerable hardware encryption.

https://www.theregister.co.uk/2018/11/05/busted_ssd_encryption/
Tabbykatze
Whelp, that's 90% of mainstream disk encryption in businesses skagged.

If there's a data breach due to a lost device and they have to infor the EU ICO then they cannot guarantee the security of the data at rest because of this flaw.

If this affects the majority of SSDs then we have just witnessed disk encryption just get wiped out if the system reverts to hardware encryption over software…


As others mentioned, I'm pretty sure businesses with any sort of salt have their own encryption techniqes for confidential info. Pretty sure this is just the “self-encryption” thing that most wouldn't expect to be secure anyway.
I was just coming to post about this, having come across this Twitter conversation about it (at the end of the conversation is one of the report's authors).

Tabbykatze
The problem is a lot of organisations rely on Bitlocker and Hexus haven't noted this properly that Bitlocker relies on it if it is available for SSDs:



https://www.theregister.co.uk/2018/11/05/busted_ssd_encryption/

It's showing as mentioned here, so if it wasn't before it must have been edited in since your post.

Article
Furthermore, if BitLocker sees you install a new SSD with hardware encryption, it is by default set to trust and use the hardware facility – which has now been demonstrated to be vulnerable.