Researchers from the Netherlands discovered several vulnerabilities in various SSDs from Crucial and Samsung. The embedded hardware encryption can be bypassed.
If you require Digital Forensic assistance in gaining access to Encrypted, PIN or Password Locked Devices get in touch now – Advanced Data Recovery
Before we begin, the researchers have only tested a small number of Samsung and Crucial SSDs, it’s likely more widespread to other brands as well. They gents not only have they been able to bypass encryption
Vulnerability CVE-2018-12037 shows up on the Crucial MX100, MX200 and MX300, the external Samsung T3 and T5
The flaws can be found in the encryption mechanism of various types of
Researcher Carlo Meijer: ‘This problem mainly requires action from organizations that store sensitive data on these devices. And also of some consumers who use this form of data protection. However, most consumers do not yet use this form of data protection. ‘
If sensitive data needs to be protected, it is advisable to use software encryption in any case and not only rely on hardware encryption. One of the possible options is to use the free VeraCrypt open source software package, but there are other solutions as well.
Encryption (encryption) is the most important mechanism for data protection. This can be done via software and via hardware, for example in SSDs. In modern operating systems, software encryption is generally used for the entire storage. However, it is possible that such a control system decides to rely solely on hardware encryption (if supported by their storage medium via the TCG Opal standard). BitLocker, the encryption software built into Microsoft Windows, can make such a switch to hardware encryption, but in these
The researchers found these vulnerabilities with the aid of public information and around € 100 of evaluation equipment. They bought the SSDs that they researched through the normal sales channels. The vulnerabilities are quite difficult to discover. However, once the nature of the vulnerabilities is known, there is a risk that exploitation of these defects will be automated by others, making abuse easier. The researchers at Radboud University will not release such exploitation resources.
The models where actual vulnerabilities have been demonstrated are:
- the Crucial (Micron) MX100, MX200 and MX300 internal hard drives;
- the Samsung T3 and T5 external USB drives;
- the Samsung 840 EVO and 850 EVO internal hard drives.
On computers with Windows, a software component called BitLocker provides encryption of the data from the computer. Within Windows, the type of encryption that BitLocker uses is set via the so-called Group Policy. Only a completely new installation, including reformatting the internal drive, will force software encryption. Changing the default value does not solve the problem immediately because it does not re-encrypt existing data. More information about the Group Policy setting can be found in the left section below.
Both manufacturers were informed in April 2018 via the National Cyber Security Center (NCSC). The university has provided the data to both manufacturers so that they can adjust their product. The manufacturers themselves will provide detailed information to their customers about the models concerned; the necessary links are at the bottom.
When discovering a security error, there is always the dilemma of how to deal with this information. Immediate publication of the data can encourage attacks and cause damage. Long-term secrecy of the error can mean that the necessary steps to prevent vulnerability are not taken while people and organizations are still at risk. In the security community, it is common practice to look for a certain balance and to wait for defects to be exposed up to 180 days after the manufacturer of the product concerned has been informed. This procedure of responsible disclosure is used by Radboud University as standard.
The protection of digital data has become a necessity, especially in
The researchers are now about to publish the scientific aspects of their findings in the scientific literature. Today, November 5, 2018, a preliminary version (pdf, 757 kB) of these findings will be published. After the end of the peer review process, a definitive version will appear in the scientific literature. This publication is not a guide to breaking into SSDs.