Researchers at Netherlands-based Radboud University, which is active in almost all scientific fields, have discovered grave security flaws in several popular solid-state drives (SSD) that promise full disk encryption. In a nutshell, they can be cracked.
Self-encrypting drives are regarded as very safe to use, and they are — unless those drives can be found in the list below:
- Crucial (Micron) MX100, MX200 and MX300 internal hard disks
- Samsung T3 and T5 USB external disks
- Samsung 840 EVO and 850 EVO internal hard disks
The Radboud geeks found that the Windows BitLocker software encryption trusts the built-in hardware encryption in these babies a bit too much – BitLocker essentially trusts self-encrypted drives to do their job, and defaults to the drive’s hardware encryption.
This in itself wouldn’t be much of a problem if the self-encryption mechanism baked in Crucial’s and Samsung’s hardware was bulletproof. But it isn’t.
In one drive, researchers found that the master password responsible for decrypting the stored data was an empty string that could easily be exploited. In another case, they unlocked the drive by messing with its password validation checks.
Even though the flaws were disclosed responsibly – in accordance with the ethics of the white hat community – the drive models listed above remain affected. Researchers believe many other drives that use similar encryption schemes may be affected, and recommend that users employ third-party software encryption tools until patches arrive. Samsung itself now makes the same recommendation. Crucial’s parent company, Micron, promises to deliver a fix soon.
Researcher Bernard van Gastel said, “The affected manufacturers were informed six months ago, in line with common professional practices. The results are being made public today so that users of the affected SSDs can protect their data properly.”