Security researchers have busted the encryption in several popular Crucial and Samsung SSDs

Researchers at Radboud University have found critical security flaws in several popular Crucial and Samsung solid state drives (SSDs), which they say can be easily exploited to recover encrypted data without knowing the password.
The researchers, who detailed their findings in a new paper out Monday, reverse engineered the firmware of several drives to find a pattern of critical issues across the device makers.
In the case of one drive, the master password used to decrypt the drives data was just an empty string and could be easily exploiting by flipping a single bit in the drives memory. Another drive could be unlocked with any password by crippling the drives password validation checks.
That wouldnt be much of a problem if an affected drive also used software encryption to secure its data. But the researchers found that in the case of Windows computers, often the default policy for BitLockers software-based drive encryption is to trust the drive and therefore rely entirely on a devices hardware encryption to protect the data. Yet, as the researchers found, if the hardware encryption is buggy, BitLocker isnt doing much to prevent data theft.
In other words, users should not rely solely on hardware encryption as offered by SSDs for confidentiality, the researchers said.
Alan Woodward, a professor at the University of Surrey, said that the greatest risk to users is the drives security failing silently.
You might think youve done the right thing enabling BitLocker but then a third party fault undermines your security, but you never know and never would know, he said.
Matthew Green, a cryptography professor at Johns Hopkins, described the BitLocker flaw in a tweet as like jumping out of a plane with an umbrella instead of a parachute.
The researchers said that their findings are not yet finalized pending a peer review. But the research was made public after disclosing the bugs to the drive makers in April.
Crucials MX100, MX200 and MX300 drives, Samsungs T3 and T5 USB external disks, and Samsung 840 EVO and 850 EVO internal hard disks are known to be affected, but the researchers warned that many other drives may also be at risk.
The researchers criticized the device makers proprietary and closed-source cryptography that they said and proved is often shown to be much weaker in practice than their open source and auditable cryptographic libraries. Manufacturers that take security seriously should publish their crypto schemes and corresponding code so that security claims can be independently verified, they wrote.
The researchers recommend using software-based encryption, like the open source software VeraCrypt.
In an advisory, Samsung also recommended that users install encryption software to prevent any potential breach of self-encrypting SSDs. Crucials owner Micron is said to have a fix on the way, according to an advisory by the Netherlands National Cyber Security Center, but did not say when.
Micron did not immediately respond to a request for comment.

Smart home tech makers dont want to say if the feds come for your data
See also:
Leave a comment
  • Latest
  • Read
  • Commented
Calendar Content
«     2021    »