Posted on Wednesday, November 07 2018 @ 15:23 CET by Thomas De MaesschalckFor their paper (PDF), the researchers scrutinized three Crucial and four Samsung SSDs. The disks require a password for encryption and decryption, but this password can be reprogrammed via a debug port. The researchers conclude the disks fail to cryptographically tie to owner's password to the actual data encryption key (DEK). By reprogramming the SSD's firmware, the owner's password can be skipped, jumping straight to using the DEK.
A paper [PDF] drawn up by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, and made public today, describes these critical weaknesses. The bottom line is: the drives require a password to encrypt and decrypt their contents, however this password can be bypassed, allowing crooks and snoops to access ciphered data.If you need encryption, you're recommended to skip the built-in encryption and use software-based BitLocker or something like VeraCrypt.
Basically, the cryptographic keys used to encrypt and decrypt the data are not derived from the owner's password, meaning, you can seize a drive and, via a debug port, reprogram it to accept any password. At that point, the SSD will use its stored keys to cipher and decipher its contents. Yes, it's that dumb.
Via: The Register
