The value of encryption is hard to overestimate. When it works, it means that even if your data is accessed without authorisation, it cannot be read (and by extension, cannot be exploited) by the attacker; something that makes encryption an essential layer of defence for anyone who’s serious about IT security.
So how should you go about encrypting the data stored on your devices? Well, these days, security-savvy buyers have been gravitating towards self-encrypting drives (SEDs) – and it’s easy to see why. With these, every data file that goes onto the drive gets encrypted automatically at hardware level. It’s fast, effective – and doesn’t involve any additional software. What’s not to love?
There’s just one killer flaw: researchers have just discovered that if you have access to the targeted device (along with just a little bit of technical know-how), for many SEDs, it’s possible to bypass the hardware encryption altogether.
Here’s a closer look at the vulnerabilities – and at what you can do to guard against it…
Self-encrypting solid state drives: what are we talking about?
First off, a word about device storage and the choice between Hard Disk Drive (HDD) and Solid State Drive (SSD) components…
- It wasn’t so long ago that Solid State Drives (SSDs) were the preserve of power users. But as the price of SSDs has fallen, it’s now the case that if you want quick, reliable performance from a laptop or PC, SSD is an increasingly affordable option (even if you have an entire workforce to kit out).
- If you go for SSD, the choice is usually dictated by performance-related reasons (in particular, boot-up time, copy/write speeds, file & program opening speeds all tend to be that much quicker). At the same time, wearing your security hat, you should also be seriously considering Full Disk Encryption to protect the data stored on devices. As it happens, many SSDs (e.g. Samsung’s popular Evo 840, 850 and 860 ranges) are also self-encrypting drives.
How SEDs work
With these, the encryption process is carried out with the use of a unique and random Data Encryption Key (DEK). When data is written to the drive, the DEK encrypts it – and the same DEK decrypts it when the data needs to be read by an authorised user.
Access is controlled via an Authentication Key (AK): a form of password authentication that locks the drive until the correct key is entered.
So what’s the problem?
Researchers at Radboud University in the Netherlands have recently uncovered what they refer to as “a pattern of critical issues” that affect SEDs on sale from various vendors. You can view the full paper here. Crucially, their research has shown that in many popular self-encrypting SSDs, it is possible to bypass the encryption entirely, meaning that in theory, you can access the data, even if you don’t have access to the authentication key.
Which SSDs are affected?
The researchers were able to successfully attack the following SSD models:
- Crucial MX100, MX200 and MX300
- Samsung Samsung 840 EVO, 850 EVO, T3 Portable and T5 Portable
The researchers point out, however, that this was not a full-market test. Many other SSDs may also be exposed.
What are the specific vulnerabilities?
Summarising the issues found, one of the researchers tweeted, likening the situation to “leaving the keys to the safe, under the safe”. The main vulnerabilities were as follows:
- No proper link between the DEK and the AK. The researchers said they were able to connect to the drive’s debug interface on its circuit board. This gave them direct access to the drive’s firmware, enabling them to modify the password-checking routine to accept any passphrase.
- A blank master password by default. With the Crucial MX 300 SSD, the researchers found that the device’s master password was set as an empty string by default. If this remained unaltered, it meant that the data could be unlocked simply by submitting an empty field!
There’s more: issues with BitLocker
BitLocker is Windows’ proprietary inbuilt encryption software. The researchers highlighted a problem relating to the way in which BitLocker interacts with SEDs. Basically, where hardware-based encryption is available, BitLocker uses this by default – in place of its own software-based encryption process.
So if your SSD is vulnerable, then even if you have BitLocker running, your data is still exposed.
How to deal with the problem
For the BitLocker issue, you can change the default setting and instruct the program to use software-based encryption only. This is done by accessing the Local Group Policy Editor (enter “gpedit.msc” in the Run dialog. Navigate to “Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption. Double click on “Configure use of hardware-based encryption for fixed data drives – and select “Disabled”.
As an alternative to BitLocker, you can also use the open source VeraCrypt tool for encryption. (Unlike BitLocker, this can also be used on Windows Home editions).
For its EVO drives, Samsung now recommends installing encryption software. Crucial has already released patches for its affected drives – as has Samsung for its T3 and T5 SSD models.
I have always been concerned about possible flaws in SSD encryption, so have always been recommending open source software encryption like VeraCrypt instead of SSD encryption, where the code has been audited.
The message is clear: consider using full disk encryption at the software level – and always keep on top of your patch updates.