Used Data Storage Devices Have Security Flaws
According to Researchers at Radboud University in the Netherlands ‘data storage devices with self-encrypting drives don’t provide the expected level of data protection. They say a malicious expert with direct access to widely sold storage devices can bypass existing protection mechanisms without knowing the user-chosen password and access the data.
As reported in newelectronics.co.uk these flaws existed in the encryption mechanism of several types of solid state drives. The two major manufacturers, namely are Samsung and Crucial. The vulnerabilities occur both in internal storage devices (in laptops, tablets, and computers) and in external storage devices (connected via a USB cable). The storage devices affected include popular models that are currently widely available.
Researcher Bernard van Gastel, explained: “The affected manufacturers have informed six months ago [April 2018], in line with common professional practices. The results are being made public today, so that users of the affected SSDs can protect their data properly.”
Researcher Carlo Meijer, said: “This problem requires action, especially by organizations storing sensitive data on these devices. And also by some consumers who have enabled these data protection mechanisms. But most consumers haven’t done that.”
The expert team recommends that if sensitive data needs to be protected, it is advisable to use software encryption and not to rely on hardware encryption. One option is to use the free and open source VeraCrypt software package, but other solutions do exist. On computers running Windows, BitLocker provides software encryption, and data may not be secure.
Encryption is the main data protection mechanism. It may be implemented in software or hardware. Modern operating systems generally offer software encryption for the whole storage. However, it may happen that such an operating system solely depends on hardware encryption, if it is supported by the storage device. BitLocker, in Microsoft Windows, is an encryption software that is built in, and this software can switch to hardware encryption but offers no effective protection in these cases. Software encryption in other operating systems like macOS, iOS, Android, and Linux also seems to be unaffected if it does not perform this switch.
These security issues were identified by the researchers’ using public information and through €100 of evaluation devices. They examined the SSDs that via regular retail channels. According to the team, it is quite difficult to determine these problems from scratch. However, once the nature of the issues is known, there is a risk that the exploitation of these flaws will be automated by others, making abuse easier. The researchers at Radboud University will not release such an exploitation tool.
The models for which vulnerabilities have actually been demonstrated in practice are:
- Samsung T3 and T5 USB external disks.
- Samsung 840 EVO and 850 EVO internal hard disks.
- Crucial (Micron) MX100, MX200, and MX300 internal hard disks.
Not all disks available in the market have been tested. It should be noted, however, that Specific technical settings (high” and “max” security) in which internal drives are used may affect the vulnerability (see the detailed information provided by the manufacturers and technical information link below).
The kind of encryption that BitLocker uses In Windows, (i.e. hardware encryption or software encryption) is set via the Group Policy. If available, standardized hardware encryption is used. The default setting must be changed for the affected models so that only software encryption is used. It does not re-encrypt existing data so this change does not solve the problem immediately. Hence a completely new installation, or reformatting the internal drive, will enforce software encryption. VeraCrypt software can be used as an alternative to re-installation.