Major SSD security flaw lets attackers bypass encryption
Major SSD security flaw lets attackers bypass encryption
Hardware-based disk encryption can be bypassed in certain SSDs
07 November, 2018, 18:11
When using BitLocker to encrypt a disk in Windows, if the operating system detects a SSD drive with hardware encryption, it will automatically default to using it.
Users could set a custom password for accessing the encrypted data.
Carlo Meijer and Bernard van Gastel of Radboud University, Netherlands, detailed in their paper [pdf] how techniques known to be used by the US National Security Agency (NSA) can get around encryption that looks strong and impenetrable on paper.
This security flaw is only present in devices with hardware-based encryption.
Therefore, the researchers had to rely on a more complicated routine of flashing the device with a modified firmware that allows them to perform various routines, which ultimately allow them to either decrypt the password or authenticate to the device using an empty password. The researchers have found that both the "ATA security" and "Opal Storage Specification" for self-encrypting drives have material implementation flaws in SSD firmware which are trivial to exploit, in order to gain access to drive contents. The SSD's builtin processor and firmware are free to use the DEK whenever they like, but only choose to do so when the correct password is supplied. While the MX300 has significant implementation improvements, the whole drive can be unlocked with a master password, which by default is blank. These faulty implementations meant that the user-chosen password and the disk encryption key weren't cryptographically linked.
"Absence of this [cryptographically linking] property is catastrophic", researchers said.
They said Microsoft shares some of the blame for Windows user data that can easily be stolen from their encrypted drives by people with access to the users' laptops. "All the information required to recover the user data is stored on the drive itself and can be retrieved".
The Dutch researchers also called out drive makers for using proprietary encryption systems when open source ones, like VeraCrypt, are much better.
"We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware", stated the report.
The researchers have responsibly disclosed their findings to Crucial and Samsung in April 2018.
Samsung's 840 EVO and 850 EVO internal SSDs, as well as the T3 and T5 external SSDs were also found to be deficient.
But the reported issues go far deeper than researchers initially realized, and especially for Windows users, who are in more danger than others. That means that if you chose to use Bitlocker for extra safety and owned one of the above-mentioned drives, you could have basically zero protection. "For multiple models, it is possible to bypass the encryption entirely, allowing for a complete recovery of the data without any knowledge of passwords or keys". "Furthermore, BitLocker users can change their preference to enforce software encryption even if hardware encryption is supported by adjusting the Group Policy setting".
The researchers have recommended the SED users to use software-level full disk encryption systems such as VeraCrypt to protect their data.
In addition, because the root of the problem resides in how vendors have implemented hardware-level encryption specifications, the two researchers have also advised the TCG working group to "publish a reference implementation of Opal to aid developers", and also make this sample implementation public so security researchers can probe it for vulnerabilities.
These are free questlines that will have both old and new characters in them involved in a whole load of new adventures. Competing the challenges earn rewards and Orichalcum to spend with Sargon at the Oikos of the Olympians legendary store.
The News Agency of Nigeria reports that Prince Charles and members of his entourage arrived the State House at about 2.20 p.m. Charles and his wife Camilla are now are now on their second day of a five stay in Ghana during their tour of West Africa.
Battery life is noted to just be 4 hours of continuous use thought the charging case can push that up to 12 hours in total. The speakers inside the small earphones are 7.2mm units and promise to produce deep bass and high-quality audio.
In a post online, Forbes delved deeper and explained that New Elizabeth and New Austin can be explored in Red Dead Redemption 2 . And ahead of the release of Red Dead Online fans could have been given some major details about the upcoming multiplayer mode.
Florida is one of the most closely watched swing states in the nation, and voters here helped turn the tide for George W. Gillum walked into his polling place at the Good Shepard Catholic Church in Tallahassee with his wife and children.
But, just as the song says, Grande knows how to handle the pain. "She's gone", she lamented, before Grande came racing back. That was incredible ! That was awesome. "We support you", host Ellen DeGeneres said after the song.
The accounts also retweet various posts by Musk, Tesla and Space X, in an effort to look more like the real Elon Musk account. The hackers used Mr Musk's name and likeness to ask for Bitcoin - a cryptocurrency - by promoting an ad on Twitter .
Series creator Vince Gilligan is driving the project, which Variety say will have "ties to the beloved series". The logline, reported by the Journal, follows the escape of a kidnapped man and his quest for freedom .
The Detroit Lions have waived former Nebraska Running Back Ameer Abdullah , according to a report from Ian Rapoport. Abdullah, who was mostly inactive during the season, was waived to make room for a free agent wide receiver signing.
More of a training center than traditional high school, SPIRE is not a member of Ohio's OHSAA and operates independently. LaMelo boarded a cross-Atlantic flight back to LA on Monday and is expected to start at Spire in the coming days.
House of Representatives with a resounding victory in Tuesday's general election, Yahoo News reported . Her father died while she was a student at Boston University in 2008.
What we learned from Duke’s big win over Kentucky
With just two exhibition games under their belts, we did not have a whole lot to go on when breaking down this Kansas team. Check out some more highlights from Duke's decisive victory over the Kentucky Wildcats in the tweets embedded below.
AMD unveils 64-core Zen 2 CPU, first 7nm GPU
We have 2x performance per socket compared to the previous-gen EPYC processor, and this is an insane leap in performance. They will not only be the first Zen 2-based product, but they are being built using an all-new design implementation.
Speculation mounts that Meghan Markle's mum will move to UK
The Queen had broken protocol for Markle before by inviting her to Sandringham activities when she was engaged to Prince Harry . The Middletons have spent Christmas with the royal family but resided in the neighboring country house Anmer Hall instead.