Hardware-based disk encryption can be bypassed in certain SSDs

Hardware-based disk encryption can be bypassed in certain SSDs

"Suppose that the DEK is stored unprotected, after which a password is set by the end user, replacing the unprotected DEK with an encrypted variant", they explain. The bottom line is: the drives require a password to encrypt and decrypt their contents, however this password can be bypassed, allowing crooks and snoops to access ciphered data. In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations.

In particular, the researchers said, the SSDs fail to cryptographically tie the owner's password to the actual data encryption key (DEK), both of which are stored in the drive.

The vulnerability has affected only those SSD models supporting hardware-based encryption which uses local built-in chips for carrying out disk encryption operations. The vulnerabilities that researchers Carlo Meijer and Bernard van Gastel found are in the firmware of the SSDs.

There are three techniques that Meijer and van Gastel found to exploit these flaws.

Samsung T3 and T5 USB. This vulnerability information was responsibly disclosed to both manufacturers and the National Cyber Security Centre (NCSC) of the Netherlands in April 2018.

The researchers tested these methods against well known and popular SSD drives such as the Crucial MX100, Crucial MX200, Crucial MX300, Samsung 840 EVO, Samsung 850 EVO, Samsung T3 Portable, and Samsung T5 Portable and were able to illustrate methods to access the encrypted drive's data.

Other issues are detailed in the researchers' paper, titled "Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)", which can be downloaded in PDF format from here.

However, the issue runs deeper. That's because Microsoft's BitLocker, which is available only on Professional, Enterprise and Education editions of Windows 10, uses the drive's own encryption by default instead of its own.

SSDs with hardware-based encryption have specific chips inside that handle the task of encrypting and decrypting data. "For multiple models, it is possible to bypass the encryption entirely, allowing for a complete recovery of the data without any knowledge of passwords or keys".

The good news for Windows users is that BitLocker's encryption can be forced to work at the software level via a Group Policy setting, but the bad news is that they'll have to format their SSD and reinstall everything because old data will remain encrypted at the hardware level even if they change BitLocker's settings.

In addition, because the root of the problem resides in how vendors have implemented hardware-level encryption specifications, the two researchers have also advised the TCG working group to "publish a reference implementation of Opal to aid developers", and also make this sample implementation public so security researchers can probe it for vulnerabilities.

For those looking to secure their data, the researchers warn that software-based encryption systems may not offer complete protection: While arguing that the inclusion of AES-accelerating instructions in modern processors means that speed is no longer an issue in switching between software and hardware encryption, the pair found that some supposedly software-based systems default to using hardware encryption when available anyway - including Microsoft's BitLocker encryption facility, built into its Windows operating system - leaving them exposed to the same attacks.

This will ensure that future SEDs will implement the Opal specification in a correct manner where the user's data can not be recovered after cursory reverse engineering sessions. "From a security perspective, standards should favor simplicity over a high number of features".

Related News:

Most liked

Tamil Rockers Threatens to release HD Print of Sarkar!
The leak of the full version of the movie by the website, which is known for hosting pirated versions of films, has enraged fans. We strongly urge our readers to stay away from such websites let alone downloading any content from these sites.

Upset At Jamal Murray’s Final Shot, Kyrie Irving Throws Ball Into Crowd
Boston didn't go down without a fight and any time they got a bucket Murray had a response. My emotions just took over like it did with the Lakers a year ago .

Angela Simmons shares heartfelt message to deceased ex-fiancé Sutton Tennyson
Thank you for the outpouring of love everyone . 'I cant believe I'm even saying Rest In Peace Sutton, ' Angela wrote. The 37-year-old Tennyson was found dead inside an open garage on Saturday, police said in a statement to Fox News.

Americans go to polls for midterm elections
Perhaps more important, they would claim subpoena power to investigate Trump's personal and professional shortcomings. At an earlier rally in Ohio Trump said: "The Democrat agenda is a socialist nightmare for our country".

Priyanka Chopra models two bridal looks during her bachelorette party
Priyanka looked like a vision in her dreamy white Georges Chakra dress paired up with feathered coat and matching heels. Parineeti Chopra and Priyanka Chopra's would-be hubby Nick Jonas share a typical jija-saali relationship.

Reds Minor leaguer killed, 2 injured in car accident
The right-hander posted a 2.24 ERA and 77 strikeouts over 51 innings, while accumulating a 2-4 record. A number of baseball players have died in auto crashes in the Dominican Republic in recent years.

Jazz guard Donovan Mitchell out vs. Raptors with ankle sprain
Beasley's 3-pointer gave the Nuggets a 79-77 lead and Plumlee beat the shot clock with another 3 that increased the lead to five. The Nuggets were desperate for any offensive production or positive momentum, but received none for the entirely of the quarter.

BJP MLA wants 'objectionable' scenes removed from Shah Rukh Khan's 'Zero'
Upcoming Shah Rukh Khan-starrer " Zero " has landed in hot waters after hurting the sentiments of the Sikh population allegedly. Katrina Kaif , on the other hand, will play a actress who is battling alcoholism.

Supreme Court lets trial start on census citizenship question
The lawsuit was filed in 2015 against former President Barack Obama and government agencies in a federal court in Eugene, Oregon. In its unsigned order, the court said the administration had not reached the high bar necessary to halt the lawsuit for now.

Five arrests in Grenfell effigy video probe
It was initially shared on the encrypted messaging service Whatsapp but is now being circulated on Facebook and Twitter. London Mayor Sadiq Khan attacked the video on Twitter, saying: "I utterly condemn this sickening video".

Savage reaction to horse being euthanised after Melbourne Cup 'tragedy'
He's really sweating up badly", horseracing commentator and Sports Sunday panellist Richard Freedman said before the race. The Irish five-year-old fractured his right shoulder just 600m into the race but medical staff were unable to save him.

Pahlaj Nihalani Moves Bombay HC Against Censor Board Cuts to 'Rangeela Raja'
Govinda's film, " Rangeela Raja " also stars Shakti Kapoor, Digangana Suryavanshi, Mishika Chourasia, and Anupama Agnihotri. Pahlaj Nihalani who once not so long ago helmed the Central Board Of Film Certification (CBFC) is in no mood to back off.

Harvick wins; in title contention
Kyle Busch , a seven-time victor this year, and defending Cup champion Martin Truex Jr . are among the other six title contenders. Harvick also won both stages at the 1 1/2-mile Texas track, the fourth time this season he did that and went on to win the race.

Six things to know about the 2018 Melbourne Cup race
Appleby's young star becomes the first Godolphin-owned horse to win Australia's greatest race. The horse was euthanised after the race.

Liverpool vs Red Star Belgrade: Surprise squad omission on the cards
Fabinho had a tough outing against Arsenal but the more he plays, the better he will get in the Liverpool system. Jürgen Klopp said he had taken the decision "to avoid any distractions".