Security researchers have discovered multiple critical vulnerabilities in some of the popular self-encrypting solid state drives (SSD) that could allow an attacker to decrypt disk encryption and recover protected data without knowing the password for the disk.
The researchers—Carlo Meijer and Bernard van Gastel—at Radboud University in the Netherlands reverse engineered the firmware several SSDs that offer hardware full-disk encryption to identify several issues and detailed their findings in a new paper (PDF) published Monday.
"The analysis uncovers a pattern of critical issues across vendors. For multiple models, it is possible to bypass the encryption entirely, allowing for a complete recovery of the data without any knowledge of passwords or keys," the researchers say.
The duo successfully tested their attack against three Crucial models of SSDs—Crucial MX100, MX200, and MX300—and four Samsung SSDs—840 EVO, 850 EVO, T3 Portable, and T5 Portable drives and found at least one critical flaw that breaks the encryption scheme. But researchers warned that many other SSDs may also be at risk.
The vulnerabilities explained below reside due to improper implementations of ATA security and TCG Opal, two specifications for implementing encryption on SSDs that use hardware-based encryption.
Password and Data Encryption Key Are Not Linked
According to the researchers, Crucial MX100, MX200, Samsung 850 EVO, and T3 Portable SSDs have critical security issues in both the ATA security and TCG Opal implementation.
With physical access to the device's debug ports, the researchers were able to reverse engineer the firmware and modify it to decrypt the hardware encrypted data by entering any password.
Secret Master Password
The Crucial MX300 also has a JTAG port, but since it has been disabled by default, the above approach is insufficient.
"Furthermore, we identified several memory corruption vulnerabilities. None of which we could successfully exploit in order to gain control over the execution," the researchers say.
However, researchers discovered that Crucial MX300 SSD also has a master password implementation, the default value of which is set by the manufacturer, which in case of MX300 is an empty string.
If this value remains unchanged by the user, it could allow anyone in possession of the default Master password to unlock the data just with an empty password field—without requiring custom password set by the user.
Wear Leveling Exploit
In Samsung 840 EVO, researchers were able to recover data encryption keys (DEK) by exploiting wear leveling feature, a technique used in solid-state drives (SSDs) to increase the lifetime of erasable flash memory.
In most SSDs, wear-leveling algorithm works by regularly moving static data to different physical locations in the NAND flash memory. But even after the data is moved, it remains available on the old location until it's overwritten.
However, this process has an adverse effect on security, as the pair explains, "suppose that the disk encryption key (DEK) is stored unprotected, after which a password is set by the end user, replacing the unprotected DEK with an encrypted variant."
"Due to wear leveling, the new variant can be stored somewhere else within the storage chip and the old location is marked as unused. If not overwritten later by other operations, the unprotected variant of the DEK can still be retrieved," the researchers add.
Don't Trust BitLocker to Encrypt Your SSD
What's more? Since Windows' built-in BitLocker full-disk encryption software by default uses hardware-based encryption if available, instead of its own software-based encryption algorithms, Windows users relying on BitLocker and using vulnerable drives remain exposed to above-mentioned vulnerabilities.
"BitLocker, the encryption software built into Microsoft Windows, can make this kind of switch to hardware encryption but offers the affected disks no effective protection in these cases. Software encryption built into other operating systems (such as macOS, iOS, Android, and Linux) seems to be unaffected if it does not perform this switch," the researchers say.
However, you can force BitLocker to use software-based encryption only by changing a setting in Windows Group Policy. You can do so by following the below steps:
- Open the Local Group Policy Editor by entering "gpedit.msc" in the Run dialog.
- Head on to "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption."
- Double-click the "Configure use of hardware-based encryption for fixed data drives" option in the right panel.
- Select the "Disabled" option there and click "OK" to save the new setting.
- Once suspend the BitLocker protection and re-enable it to make the changes in effect.
Alternatively, rather than relying on BitLocker, you can use the open-source VeraCrypt tool to encrypt your Windows system hard drive or any other drive. VeraCrypt is based on the TrueCrypt software and handles the encryption process by its own without relying on SSD.
Moreover, unlike BitLocker which is available only on Professional, Enterprise and Education editions of Windows 10, VeraCrypt is also available on Windows 10 Home and Windows 7 Home computers.
Security Patches for Samsung and Crucial SSDs
Meijer and Gastel reported the vulnerabilities to Crucial and Samsung before going public with their findings. While Crucial has already released firmware patches for all of its affected drives, Samsung has rolled out security patches for its T3 and T5 Portable SSDs.
However, for its EVO drives, Samsung recommends installing encryption software (freely available online) that is compatible with your system.
"Hardware encryption currently comes with the drawback of having to rely on proprietary, non-public, hard-to-audit crypto schemes designed by their manufacturers. Correctly implementing disk encryption is hard and the consequences of making mistakes are often catastrophic," the researchers say.You can head on to the research paper titled "Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)" published Monday by the researchers to learn more about the reported vulnerabilities.
"For this reason, implementations should be audited and subject to as much public scrutiny as possible. Manufacturers that take security seriously should publish their crypto schemes and corresponding code so that security claims can be independently verified."