Several self-encrypting solid-state drives from two major manufacturers have security flaws that could allow hackers to access data without knowing users’ passwords.
Researchers at Radboud University in the Netherlands found the flaws in Samsung T3 and T5 USB external disks, Samsung 840 EVO and 850 EVO internal hard disks, and Crucial (Micron)’s MX100, MX200 and MX300 internal hard disks. Affected drives protected only by the built-in encryption should be treated as unprotected for the time being, said researcher Bernard van Gastel.
With self-encrypting drives, users expect data to remain fully protected unless someone has both the password and the drive itself. But with this flaw, it turns out that only having the drive itself is enough to access all the data in readable form.
“In a technical sense, the encryption key used to make the contents unreadable isn’t related in any way to the password set by the user,” van Gastel explained. “If a malicious person has access to the drive, he can derive the encryption key from internal parts of the drive. Having to set a password gives users a false sense of security, which can be very dangerous.”
To mitigate SSD security problems, the researchers recommend using software encryption in addition to the SSDs' built-in hardware encryption. At the same time, they warn that BitLocker, the encryption built into Microsoft Windows, can complicate the issue. Normally, BitLocker encrypts data in software, but depending on the configuration of the drive and Windows settings, it could disable the encryption in software and enable the built-in encryption in the SSDs. It’s important for storage professionals to know if such switches are taking place because they can severely weaken the protection of the data, depending on the drive used, vab Gastel said.
While it’s important for both manufacturers to update their firmware, researchers warn that it won’t completely fix the problem. In theory, van Gastel said, firmware can patch the problem, but issuing the right firmware fixes to actually solve this problem is expensive and difficult. What’s more, users often don’t update their firmware. Instead, van Gastel says, it’s safer not to rely solely on hardware encryption by adding software encryption to the mix.
“If flaws are discovered in that protection mechanism, the data is basically unprotected, so it’s almost essential to have multiple protection mechanisms in place,” he said.
In addition, van Gastel recommends that organizations expand protection beyond technical solutions. It’s just as important, he said, to be aware of the specific data sets each employee can access and where that data is stored. In light of recent events, he also believes that organizations should think about limiting the type of data allowed on mobile devices.
Now that the SSD security flaws are out in the open, van Gastel expects hackers to begin exploiting them until Micron and Samsung issue fixes.
“We only used about $100 worth of equipment and public information to get our results, and a lot can be automated. We won't release such scripts, but past experience with other security issues have [taught us] it won't take too long for such scripts to appear on the Internet,” he said.
The researchers notified both Micron and Samsung about these SSD security flaws back in April and agreed to wait until Nov. 5 to disclose the information to the public. As of today, Samsung has issued an announcement recommending that users install encryption software for non-portable SSDs and update the firmware on portable SSDs. Micron is expected to release a firmware update for the MX300 on Nov. 13.