- Joined
- Mar 3, 2018
- Messages
- 1,713
Researchers from Radboud University in the Netherlands found severe security vulnerabilities in several popular, self-encrypting SSDs from Samsung and Crucial. These SSDs can encrypt and decrypt data coming in and out on the fly, which is seen as a "hardware encyption" option in Bitlocker on Windows systems, but the researchers highlighted several ways to bypass this encryption without a user password. Vendor-specific commands, memory corruption, storage chip communication exploits, and (theoretically) fault injection attacks can all be used to run unsigned code, and gain control over the SSD's data. The full research paper can be read in the original article, and the researchers recommend using software encryption over hardware encryption in general. Samsung and Crucial were notified in April, and Samsung already has a consumer notice on their site.
The researchers identified these security issues using public information and around €100 of evaluation devices. They bought the SSDs that they examined via regular retail channels. It is quite difficult to discover these problems from scratch. However, once the nature of the issues is known, there is a risk that the exploitation of these flaws will be automated by others, making abuse easier. The researchers at Radboud University will not release such an exploitation tool. The models for which vulnerabilities have actually been demonstrated in practice are: Crucial (Micron) MX100, MX200 and MX300 internal hard disks; Samsung T3 and T5 USB external disks; Samsung 840 EVO and 850 EVO internal hard disks. It should be noted, however, that not all disks available on the market have been tested. Specific technical settings (related to e.g. "high" and "max" security) in which internal drives are used may affect the vulnerability.
The researchers identified these security issues using public information and around €100 of evaluation devices. They bought the SSDs that they examined via regular retail channels. It is quite difficult to discover these problems from scratch. However, once the nature of the issues is known, there is a risk that the exploitation of these flaws will be automated by others, making abuse easier. The researchers at Radboud University will not release such an exploitation tool. The models for which vulnerabilities have actually been demonstrated in practice are: Crucial (Micron) MX100, MX200 and MX300 internal hard disks; Samsung T3 and T5 USB external disks; Samsung 840 EVO and 850 EVO internal hard disks. It should be noted, however, that not all disks available on the market have been tested. Specific technical settings (related to e.g. "high" and "max" security) in which internal drives are used may affect the vulnerability.