Researchers at Radboud University in the Netherlands have discovered that widely used data storage devices with self-encrypting drives do not provide the expected level of data protection. This is due to a malicious expert with direct physical access to widely sold storage devices with the ability to bypass existing protection mechanisms and access the data without knowing the user-created password.
These flaws exist in the encryption mechanism of several types of solid state drives of major manufacturers, namely Samsung and Crucial. The vulnerabilities occur both in internal storage devices (in laptops, tablets and computers) and in external storage devices (connected via a USB cable).
Researcher Bernard van Gastel: “The affected manufacturers were informed six months ago, in line with common professional practices. The results are being made public today so that users of the affected SSDs can protect their data properly.” Researcher Carlo Meijer: “This problem requires action, especially by organizations storing sensitive data on these devices. And also by some consumers who have enabled these data protection mechanisms. But most consumers haven’t done that.”
If sensitive data needs to be protected, it is in any case advisable to use software encryption and not rely solely on hardware encryption. One option is to use the free and open source VeraCrypt software package, but there are various other solutions users can consider. For computers running Windows, BitLocker provides software encryption, and data may not be secure.
The researchers identified these security issues using public information and evaluation devices. They bought the SSDs that they examined via regular retail channels. It is quite difficult to discover these problems upon first glance. However, once the nature of the issues is known, there is a risk that the exploitation of these flaws will be automated by others, making abuse easier.
The models for which vulnerabilities have actually been demonstrated in practice are:
- Crucial (Micron) MX100, MX200 and MX300 internal hard disks;
- Samsung T3 and T5 USB external disks;
- Samsung 840 EVO and 850 EVO internal hard disks.
It should be noted, however, that not all disks available on the market have been tested. Specific technical settings (related to e.g. “high” and “max” security) in which internal drives are used may affect the vulnerability.