Researchers at Radboud University recently released their findings involving research they conducted on Crucial and Samsung solid state drives (SSDs).
The Radboud University’s 5 November report stated that several popular models of SSDs manufactured by Crucial Technology and Samsung have a few severe weaknesses in how the devices effectuate hardware-based encryption.
These weaknesses are open doors that can allow attackers to bypass protected data without using a password. Consumers expect their SSDs to encrypt their data and would be caught entirely if there were a data breach.
The vulnerabilities affect both external and internal SSD, with the biggest problem being that, when hardware-based encryption accessible, encryption software packages such as BitLocker rely wholly on the hardware’s encryption rather than encrypting the data as it should.
If the drive signals that encryption is available, BitLocker, a Microsoft product built into Windows, relies on the hardware’s encryption by default.
It wasn’t until the researchers at Radboud University in the Netherlands uncovered these vulnerabilities and published their draft paper covering them and some of the methods they came up with for exploiting them that the public was made aware their data was in jeopardy.
“Full-disk encryption software, especially those integrated in modern operating systems, may autonomously decide to rely solely on hardware encryption in case it is supported by the storage device (via the TCG Opal standard). In case the decision is made to rely on hardware encryption, software encryption is disabled.” -Researchers from Radboud University wrote.
Products with these vulnerabilities include Crucial’s MX100, MX200, and MX300; and Samsung’s 840 and 850 EVO internal hard drives, and T3 and T5 external hard drives.
The weaknesses stem from the SSDs’ firmware implementation of the Opal standard for self-encrypting hard drives from the Trusted Computing Group, which was created by Microsoft, Intel, IBM, Hewlett-Packard, and AMD. Under the Opal standard, hard drives are capable of allowing numerous passwords on each drive, independent encryption section, or one for each locking range. In a few cases, the affected SSDs neglect to link the disk encryption key (DEK) to the passwords for the hard drives. In other cases, there is only one DEK for all ranges on encrypted hard drives, with each range protect by passwords.
“On the surface, doing so may seem only a minor issue. Indeed, access to at least one range is still required. However, the (probably) most popular Opal management software, BitLocker, leaves the global range unprotected in order to allow the partition table to be accessible. Consequently, the DEK must be stored unprotected to allow for this, in effect compromising the other ranges,” the paper continues.
Even though this is BitLocker’s setting by default, administrators can change this by way of a group policy setting while they are setting up new SSDs. One of the researchers who helped discover the vulnerabilities, Carlo Meijer, stated that the BitLocker problem is primarily for enterprises.
“Typically, larger organizations manage their Windows PCs and laptops centrally, and enable encryption for most (if not all) devices in the organization, via a central management console. This causes BitLocker, the encryption utility built into Microsoft Windows to kick in,” Meijer said in an email to ZDNet.
Meijer continues, “Unfortunately, by default, BitLocker will query a drive whether it supports self-encryption, and if it does, it will not perform any encryption on its own, but delegate that task to the self-encrypting drive instead and fully trust that the manufacturer did not make any mistakes.”
On 6 November, a day after the report was posted by Radboud University, Microsoft posted an advisory on its site covering the BitLocker issues, as well as the vulnerabilities of its SSDs, advising administrators to set up new hard drives with their defaults disabled.
“Microsoft is aware of reports of vulnerabilities in the hardware encryption of certain self-encrypting drives (SEDs). Customers concerned about this issue should consider using the software only encryption provided by BitLocker Drive Encryption™. On Windows computers with self-encrypting drives, BitLocker Drive Encryption™ manages encryption and will use hardware encryption by default. Administrators who want to force software encryption on computers with self-encrypting drives can accomplish this by deploying a Group Policy to override the default behavior. Windows will consult Group Policy to enforce software encryption only at the time of enabling BitLocker,” the company wrote.
“To check the type of drive encryption being used (hardware or software): 1. Run ‘manage-bde.exe -status’ from the elevated command prompt. 2 If none of the drives listed report “Hardware Encryption” for the Encryption Method field, then this device is using software encryption and is not affected by vulnerabilities associated with self-encrypting drive encryption,” it instructed.
All of the attacks developed by the Radboud University team required physical access to the target SSDs, whether external or internal. Additionally, the attacks usually required the use of specialized equipment and know-how.
However, given enough time, especially if the SSDs are stolen or taken from their location long enough, the attacks are feasible enough to be worried.
The Radboud University researchers stated in their report that the Crucial MX100 internal SATA hard drive is plagued with a number of security vulnerabilities, such as a no connection between the user’s password and the DEK. Furthermore, the MX200 has the same weakness.
“We demonstrated in practice that, by modifying the password validation routine in RAM through JTAG, the MX100 unlocks with any password, and the drive’s contents become accessible. This applies to both ATA security and TCG Opal,” the Radboud University research paper says.
The researchers from Radboud University notified Samsung and Crucial about the security issues they discovered. Samsung released a statement and updated the firmware for the T3 and T5 external SSDs.
“In light of recent reporting for potential breach of self-encrypting SSDs in the case of expert’s physical possession and specific technical settings, Samsung provides the following options of added protection for our valued consumers:
“For non-portable SSDs: We recommend installing encryption software (freeware available online) that is compatible with your system.
“For portable SSDs: We recommend updating the firmware on your device. Firmware patch can be updated through Portable SSD Activation Software. For T5 and T3 products, you must first reinstall Portable SSD Activation Software (Version 1.6.2), provided on the Samsung SSD Customer Support page (URL below), before updating the firmware. Please visit the following website for the Samsung SSD Customer Support page.
“For updating the firmware on T1 products, please contact the nearest Samsung Service Center. Please visit the following website for contact information of Samsung Service Centers around the globe.”
On the other hand, Crucial has not yet fixed its products’ issues but says they are in the process of doing so.
Meijer also stated in his email to ZDNet that the most critical changes manufacturers need to make to their external and internal SSDs is to bind the encryption keys to the users’ passwords. In addition to that, Meijer pointed out the lack of “visibility into the firmware” on the hard drives as being an added problem.
An advisory has been published by the Dutch National Cyber Security Centre as well.
Meijer further added, “These self-encrypting drives are extremely hard to analyze because their inner workings are not publicly known. Therefore, until now, independent experts have been unable to scrutinize them. In order for manufacturers to stand by their security claims, they should release their source code and implementation details so that they can be independently verified.”
If you found this article interesting, take some time out to read this informative piece: PGP Versions Are Not All Made the Same.