In brief: Researchers at Radboud University have discovered flaws in some popular solid state drives (SSD) that allowed them to decrypt hardware encryption without having the password. Carlo Meijer and Bernard van Gastel found that they were able to modify firmware or use debugging tools to alter the password authentication schemes used by the drives.
They successfully tested their exploits against the Crucial MX100, MX200, and MX300 SSDs as well as Samsung’s 840 EVO, 850 EVO, T3 Portable, and T5 Portable drives. The researchers say they were able to reverse engineer the firmware on these devices and reprogram them to validate the password no matter what is entered.
“We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware. In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret.”
What’s more, since Windows’ BitLocker software encryption defaults to hardware encryption when it is available, it can also be bypassed with the same methods.
There are three techniques that Meijer and van Gastel found to exploit these flaws.
With the Crucial MX100, MX200, the Samsung 850 EVO, and T3 Portable, they were able to able to physically connect to the drives’ JTAG debugging interface and modify the password verification checks. Any password typed in would decrypt the drive.
The Crucial MX300 also has a JTAG port, but they discovered it is disabled by default. So instead the researchers flashed the drive with a counterfeit firmware. This allowed them to authenticate with an empty password field.
With the remaining drives, they were able to recover data encryption keys (DEK) using a “wear leveling” exploit.
“Suppose that the DEK is stored unprotected, after which a password is set by the end user, replacing the unprotected DEK with an encrypted variant,” they explain. “Due to wear leveling, the new variant can be stored somewhere else within the storage chip and the old location is marked as unused. If not overwritten later by other operations, the unprotected variant of the DEK can still be retrieved.”
Crucial and Samsung were notified of the flaw well in advance of announcing it publicly. Crucial has already released patched firmware for all affected drives except the MX300, which has not been updated since 2017. Samsung also rolled out updates for its T3 and T5 Portable SSD. For its EVO drives, however, the company recommends using software encryption.
Meijer and van Gastel are preparing to publish a paper on the flaws titled “Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs).” It is currently in the peer-review process, but if you’re into the nitty-gritty details, they have made a preliminary copy available for download on the Radboud University website.