Researchers out of Radboud University (the Netherlands) claim hardware encryption systems built into some of the most popular solid-state drives can be bypassed. The ability to bypass the encryption would allow an attacker to recover protected data and Microsoft BitLocker wouldn’t make a difference.
SSD manufactures often use Advanced Encryption Standards (AES) to encrypt their drives. This standard is supposed to encrypt data to the drive as it is being stored and offers that without a performance loss. Traditional software encryption brings with it performance loss so this is why AES is popular. AES is supposed to render information inaccessible if the SSD is removed from the system, but that’s doesn’t seem to be the case.
A research paper from Carlo Meijer and Bernard van Gastle, published in draft today, suggests otherwise: The pair detail numerous methods for obtaining access to supposedly-protected data on a range of popular SSD devices, with most failing to protect their contents and providing complete and unrestricted access. ‘In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations,’ the researchers explain in the paper’s abstract. ‘In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret.’
The team’s research looked at seven SSD device families in total: the Crucial MX100, MX200, and MX300 in all available form factors; the Samsung 840 EVO and 850 EVO in SATA variants; and the Samsung T3 and T5 USB SSDs. Compromises allowing for full access to the encrypted data without the need to know the secret key supposedly protecting the contents were found on all Crucial and both Samsung USB drive models; only the Samsung 840 EVO and 850 EVO escaped complete compromise, with the researchers noting that bypass of the cryptographic protections was only available in selected scenarios.
‘For multiple models, it is possible to bypass the encryption entirely, allowing for a complete recovery of the data without any knowledge of passwords or keys. A pattern of critical issues across vendors indicates that the issues are not incidental but structural,’ the researchers argue while naming the TCG Opal standard as being extremely hard to implement correctly, ‘and that we should critically assess whether this process of standards engineering actually benefits security, and if not, how it can be improved.’
The entire draft paper can be found at the link below and is 16-pages long. It’s pretty involved so you might want to leave a chunk of time out if you want to read the whole thing.
Last Updated on February 3, 2021.