Hardware-based disk encryption can be bypassed in certain SSDs

Hardware-based disk encryption can be bypassed in certain SSDs

"Suppose that the DEK is stored unprotected, after which a password is set by the end user, replacing the unprotected DEK with an encrypted variant", they explain. The bottom line is: the drives require a password to encrypt and decrypt their contents, however this password can be bypassed, allowing crooks and snoops to access ciphered data. In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations.

In particular, the researchers said, the SSDs fail to cryptographically tie the owner's password to the actual data encryption key (DEK), both of which are stored in the drive.

The vulnerability has affected only those SSD models supporting hardware-based encryption which uses local built-in chips for carrying out disk encryption operations. The vulnerabilities that researchers Carlo Meijer and Bernard van Gastel found are in the firmware of the SSDs.

There are three techniques that Meijer and van Gastel found to exploit these flaws.

Samsung T3 and T5 USB. This vulnerability information was responsibly disclosed to both manufacturers and the National Cyber Security Centre (NCSC) of the Netherlands in April 2018.

The researchers tested these methods against well known and popular SSD drives such as the Crucial MX100, Crucial MX200, Crucial MX300, Samsung 840 EVO, Samsung 850 EVO, Samsung T3 Portable, and Samsung T5 Portable and were able to illustrate methods to access the encrypted drive's data.

Other issues are detailed in the researchers' paper, titled "Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)", which can be downloaded in PDF format from here.

However, the issue runs deeper. That's because Microsoft's BitLocker, which is available only on Professional, Enterprise and Education editions of Windows 10, uses the drive's own encryption by default instead of its own.

SSDs with hardware-based encryption have specific chips inside that handle the task of encrypting and decrypting data. "For multiple models, it is possible to bypass the encryption entirely, allowing for a complete recovery of the data without any knowledge of passwords or keys".

The good news for Windows users is that BitLocker's encryption can be forced to work at the software level via a Group Policy setting, but the bad news is that they'll have to format their SSD and reinstall everything because old data will remain encrypted at the hardware level even if they change BitLocker's settings.

In addition, because the root of the problem resides in how vendors have implemented hardware-level encryption specifications, the two researchers have also advised the TCG working group to "publish a reference implementation of Opal to aid developers", and also make this sample implementation public so security researchers can probe it for vulnerabilities.

For those looking to secure their data, the researchers warn that software-based encryption systems may not offer complete protection: While arguing that the inclusion of AES-accelerating instructions in modern processors means that speed is no longer an issue in switching between software and hardware encryption, the pair found that some supposedly software-based systems default to using hardware encryption when available anyway - including Microsoft's BitLocker encryption facility, built into its Windows operating system - leaving them exposed to the same attacks.

This will ensure that future SEDs will implement the Opal specification in a correct manner where the user's data can not be recovered after cursory reverse engineering sessions. "From a security perspective, standards should favor simplicity over a high number of features".

Related News:

Most liked

Dozens of Facebook pages and Instagram accounts removed
The announcement came shortly after U.S. law enforcement and intelligence agencies said that Americans should be wary of Russian attempts to spread fake news.

Guardiola backs Man City chiefs over allegations of breaking FFP rules
Of course we want to follow the rules, from UEFA and Federation Internationale de Football Association and the Premier League . I would say of course, like many, many clubs around the world, there is a lot of money.

Angela Simmons shares heartfelt message to deceased ex-fiancé Sutton Tennyson
Thank you for the outpouring of love everyone . 'I cant believe I'm even saying Rest In Peace Sutton, ' Angela wrote. The 37-year-old Tennyson was found dead inside an open garage on Saturday, police said in a statement to Fox News.

Rihanna Slams Donald Trump For Playing Her Music
This news comes after Rihanna posted her endorsement of Florida Democratic gubernatorial candidate Andrew Gillum on Instagram . And Rihanna isn't the only celebrity losing it over her song being played in association with President Trump .

Priyanka Chopra models two bridal looks during her bachelorette party
Priyanka looked like a vision in her dreamy white Georges Chakra dress paired up with feathered coat and matching heels. Parineeti Chopra and Priyanka Chopra's would-be hubby Nick Jonas share a typical jija-saali relationship.

Bluetooth certification indicates new AirPods are coming
Now, the latest patent filing reveals three new classes - 10, 14 and 28. It looks like the new AirPods are finally coming.

Jazz guard Donovan Mitchell out vs. Raptors with ankle sprain
Beasley's 3-pointer gave the Nuggets a 79-77 lead and Plumlee beat the shot clock with another 3 that increased the lead to five. The Nuggets were desperate for any offensive production or positive momentum, but received none for the entirely of the quarter.

Girl, 10, arrested for 'deliberately killing baby boy at daycare center'
The boy was then airlifted to St Paul's hospital where he was later pronounced dead on 1 November, NBC News reports . According to the Tribune, a doctor who examined the baby determined that the injuries were not accidental.

BJP MLA wants 'objectionable' scenes removed from Shah Rukh Khan's 'Zero'
Upcoming Shah Rukh Khan-starrer " Zero " has landed in hot waters after hurting the sentiments of the Sikh population allegedly. Katrina Kaif , on the other hand, will play a actress who is battling alcoholism.

Cascade Lake-AP Xeon CPUs embrace the multi-chip module
Intel says that Cascade Lake processors will be arranged in multi-chip packages with CPUs that offer up to 48 cores per socket. All processors support dual-channel DDR4-2666 memory and feature a TDP ranging from 71 watts up to 95 watts for the flagship.

Lions stop Thielen from breaking Megatron's National Football League record
The Minnesota Vikings could be without wide receiver Stefon Diggs for Sunday's NFC North matchup against the Detroit Lions . The last time the Lions scored in single digits was a 17-6 loss to the New York Giants on December 18, 2016.

Alleged Asus ZenFone 6 leak points to novel off-center notch
Asus introduced the Zenfone 5z at MWC 2018 with a Snapdragon 845 chipset and an impressively low price tag of $340 in India. An Italy-based site called HDblog .it has leaked images of what it believes to be the final build of the Asus ZenFone 6 .

Pahlaj Nihalani Moves Bombay HC Against Censor Board Cuts to 'Rangeela Raja'
Govinda's film, " Rangeela Raja " also stars Shakti Kapoor, Digangana Suryavanshi, Mishika Chourasia, and Anupama Agnihotri. Pahlaj Nihalani who once not so long ago helmed the Central Board Of Film Certification (CBFC) is in no mood to back off.

Harvick wins; in title contention
Kyle Busch , a seven-time victor this year, and defending Cup champion Martin Truex Jr . are among the other six title contenders. Harvick also won both stages at the 1 1/2-mile Texas track, the fourth time this season he did that and went on to win the race.

Arsene Wenger in advanced talks to become AC Milan's new manager
Meanwhile, the club's current coach, Gennaro Gattuso has assisted Milan to fourth position in Serie A . Wenger left Arsenal at the end of last season after his side finished sixth in the league last season.