Radboud University has discovered a significant security flaw in self-encrypting solid state drives.
According to the research, an attacker with access to the self-encrypting drive’s manual can use a built-in default master password to gain access to a user’s encrypted password, bypassing the drive’s encryption regardless of the strength of the victim’s password.
Additionally, attackers can bypass improper implementations of TCG Opal and ATA security implementations by acquiring the disk encryption key stored on the drive’s chip and using it to decrypt the data without requiring the user’s password.
“We found that critical security vulnerabilities in the drives studied exist,” the researchers stated.
“It is in many cases possible to recover the contents of the drive without knowledge of any password or secret key, thereby bypassing the encryption entirely.”
This security flaw is only present in devices with hardware-based encryption.
Several SSDs manufactured by Samsung and Crucial are reportedly affected by this issue.
Below is the list of products confirmed to be affected:
- Crucial (Micron) MX100, MX200 and MX300.
- Samsung T3 and T5 USB.
- Samsung 840 EVO and 850 EVO.
Researchers recommended that users enable full software-level encryption through solutions such as Microsoft’s BitLocker tool to mitigate the vulnerability.
Affected manufacturers were provided details of the security flaw in April 2018.