Security flaws in SSD data storage devices

Researchers at Radboud University in the Netherlands have discovered that widely used data storage devices with self-encrypting drives do not provide the expected level of data protection. A malicious expert with direct physical access to widely sold storage devices can bypass existing protection mechanisms and access the data without knowing the user-chosen password.

Which models are affected?

  • Crucial (Micron) MX100, MX200 and MX300 internal hard disks
  • Samsung T3 and T5 USB external disks
  • Samsung 840 EVO and 850 EVO internal hard disks

As not all disks available on the market have been tested, there is possibility there is more affected range of models.

Is the remote attack possible (via internet)?

No. Attacker has to have direct physical access to disk.

I am using BitLocker for encryption, am I affected?

On computers running Windows, a software component called BitLocker handles the encryption of the computer’s data. In Windows, the kind of encryption that BitLocker uses (i.e. hardware encryption or software encryption) is set via the Group Policy. If available, standard hardware encryption is used. For the affected models, the default setting must be changed so that only software encryption is used. This change does not solve the problem immediately, because it does not re-encrypt existing data. Only a completely new installation, including reformatting the internal drive, will enforce software encryption.

I am using other tool for encryption (e.g. VeraCrypt), Am I affected?

Probably not. Tools such a VeraCrypt use software encryption

You can learn how to use VeraCrypt during the Digital Self-defense workshop

Are there security patches?

There is firmware update for Crucial disks and Samsung T3 and T5 models. Samsung EVO are unpatched, Samsung recommends installing encryption software that is compatible with your system (e.g. VeraCrypt).

How to force BitLocker to use software encryption?

  • Open the Local Group Policy Editor by entering “gpedit.msc” in the Run dialog.
  • Head on to “Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives.”
  • Double-click the “Configure use of hardware-based encryption for fixed data drives” option in the right panel.
  • Select the “Disabled” option there and click “OK” to save the new setting.
  • Before software encryption will be used, after you change these policies you must first completely decrypt the drive and then enable BitLocker again to use software encryption.

(sources: Radboud University, The Hacker News)

Milan

Jmenuji se Milan Půlkrábek, pamatuji si počítače bez internetu, Internet bez Google a mobilní komunikaci bez šifrování. Mám za sebou více než dvacet let profesionální praxe v IT, přednáším a píšu články o IT bezpečnosti, kryptoměnách a nových technologiích. Od roku 2014 jsem součástí nezikové organizace Paralelní Polis v Praze.