November 12, 2018 at
New reports by researchers of the Netherlands-based Radboud University claim that data storage devices that have their own encrypting drives may not be as safe as previously believed. According to the team’s discovery, a malicious expert that manages to obtain physical access to these devices can bypass their protection and access the data.
The flaw in the system allows accessing stored information even without having the unique password to the device. The flaw seems to be in the devices’ encryption mechanism. While not all devices are vulnerable, there are several types of solid-state drives that are. They are products of two large manufacturers — Crucial and Samsung.
Said vulnerabilities were found in de devices such as computers, laptops, and tablets, but also in external storage devices such as those that can be connected through the USB cable.
One of the researchers, Bernard van Gastel, stated that the manufacturers were informed about the flaw back in April 2018. The results were made public now so that users can protect themselves. Another researcher, Carlo Meijer, stated that the problem requires action, which is especially important in the case of organizations and companies that are using flawed devices for storing sensitive information.
Hardware and software encryption
Right now, encryption is the best method of protecting data that can be found. There are two types of it — software encryption and hardware encryption. While modern systems usually offer software encryption, it is possible that some systems rely on hardware encryption alone.
While hardware encryption is a good method of defense to have, it is always advisable to use software encryption whenever sensitive data is being transported or stored. While there are free software packages that can be used, there are also paid ones that should be considered. Microsoft Windows, for example, offers BitLocker, which is an encryption software that comes with the system.
Security issues were identified through the use of public data, as well as €100 worth of evaluation devices. Researchers purchased SSDs, and have examined them through regular retail channels. Finding the flaws is not easy for those who do not know that they are there, and even then, hackers would have to know exactly where to look in order to spot the flaw.
However, once known, exploitation of such flaws is a very simple process, which makes the abuse of devices easy and dangerous. So far, researchers have identified only a few models that are vulnerable:
- Crucial (Micron) MX100, MX200, and MX300 internal hard disks
- Samsung T3 and T5 USB external disks;
- Samsung 840 EVO and 850 EVO internal hard disks.
Researchers also pointed out that they did not test all disks that can be found on the market. In addition, specific settings that use internal drives may change the nature of the vulnerability.
As stated, Windows uses BitLocker’s encryption, which can be hardware or software encryption. This encryption is set through the use of Group Policy. Most of the time, standard hardware encryption is being used, which is why affected models need to change their default settings to using software encryption only.
While the change will not solve the issue as it doesn’t re-encrypt data that is already there, it will still encrypt all new data. If device owners wish to avoid complete system reinstallation, they can use another encryption software to encrypt all of the old data manually.