SSDs with hardware encryption are easily hacked

Posted on Wednesday, Nov 07 2018 @ 15:23 CET by Thomas De Maesschalck
Security researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands discovered that the hardware-based encryption found on many popular solid state disks can easily be bypassed.

For their paper (PDF), the researchers scrutinized three Crucial and four Samsung SSDs. The disks require a password for encryption and decryption, but this password can be reprogrammed via a debug port. The researchers conclude the disks fail to cryptographically tie to owner's password to the actual data encryption key (DEK). By reprogramming the SSD's firmware, the owner's password can be skipped, jumping straight to using the DEK.
A paper [PDF] drawn up by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, and made public today, describes these critical weaknesses. The bottom line is: the drives require a password to encrypt and decrypt their contents, however this password can be bypassed, allowing crooks and snoops to access ciphered data.

Basically, the cryptographic keys used to encrypt and decrypt the data are not derived from the owner's password, meaning, you can seize a drive and, via a debug port, reprogram it to accept any password. At that point, the SSD will use its stored keys to cipher and decipher its contents. Yes, it's that dumb.
If you need encryption, you're recommended to skip the built-in encryption and use software-based BitLocker or something like VeraCrypt.

Via: The Register

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments