Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it's really, really dumb)

Security experts frantically facepalming at stupid design

By Shaun Nichols in San Francisco


Fundamental flaws in the encryption system used by popular solid-state drives (SSDs) can be exploited by miscreants to easily decrypt data, once they've got their hands on the equipment.

A paper [PDF] drawn up by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, and made public today, describes these critical weaknesses. The bottom line is: the drives require a password to encrypt and decrypt their contents, however this password can be bypassed, allowing crooks and snoops to access ciphered data.

Basically, the cryptographic keys used to encrypt and decrypt the data are not derived from the owner's password, meaning, you can seize a drive and, via a debug port, reprogram it to accept any password. At that point, the SSD will use its stored keys to cipher and decipher its contents. Yes, it's that dumb.

The egghead duo tested three Crucial and four Samsung models of SSDs, and found them more or less vulnerable to the aforementioned attack, although it does depend on their final configuration. Check the table below for the specific findings and settings to determine if your rig is vulnerable. All of the drives tried, and failed, to securely implement the TCG Opal standard of encryption.

"The analysis uncovers a pattern of critical issues across vendors," according to the researchers. "For multiple models, it is possible to bypass the encryption entirely, allowing for a complete recovery of the data without any knowledge of passwords or keys."

Rowhammer RAM attack adapted to hit flash storage


In particular, the researchers said, the SSDs fail to cryptographically tie the owner's password to the actual data encryption key (DEK), both of which are stored in the drive. The SSD's builtin processor and firmware are free to use the DEK whenever they like, but only choose to do so when the correct password is supplied. If the firmware is reprogrammed or manipulated by someone with physical access to the device's debug ports, it can be made to skip the password stuff, and go straight to using the DEK.

Really, the DEK should in some way be derived from the owner's passphrase. No passphrase, no complete key. In reality, the SSDs cheat. What's more, many drives use a single DEK for the entire flash disk, even though they offer to secure different sections with different passwords.

In practice, the Radboud duo say they were able to decrypt the data on a number of SSDs simply by connecting to the drive's debug interface on its circuit board, and modify the password-checking routine in the firmware to accept any passphrase before accessing the DEK to encrypt or decrypt the device.

In other cases, the researchers could retrieve the keys by modifying the drive's firmware, or by exploiting a code injection vulnerability that would also allow an attacker to modify the password routine – both require physical access to the drive.

Results of tests on Crucial and Samsung SSD models

One possible way to secure these devices, the boffins stated in their paper, is to ensure the secrets needed to decrypt a drive are stored off the equipment itself. That can be achieved by using full-disk encryption software that runs on the host computer, and encrypts and decrypts data before it enters and after it leaves the drive using a key derived from a passphrase supplied by the user.

"The results presented in this paper show that one should not rely solely on hardware encryption as offered by SSDs for confidentiality," the paper explained. "We recommend users that depend on hardware encryption implemented in SSDs to employ also a software full-disk encryption solution, preferably an open-source and audited one."

Unfortunately, the pair also note that some popular data encryption systems, including the BitLocker tool Microsoft uses in Windows 10, do not use software encryption for SSDs and rely on the drive's vulnerable hardware encryption.

Cryptography guru Matt Green pulled no punches today...

In those cases, Meijer and van Gastel recommend users and admins look to instead use something like VeraCrypt, or switch BitLocker to use software encryption rather than the drive's baked-in crypto.

"In particular, VeraCrypt allows for in-place encryption while the operating system is running, and can coexist with hardware encryption," they said. "Furthermore, BitLocker users can change their preference to enforce software encryption even if hardware encryption is supported by adjusting the Group Policy setting."

In an email to El Reg, one of the researchers, Bernard van Gastel, told us:

We only looked at the aforementioned models, due to our expertise with e.g. the Arm architecture used in these drives. That being said, the TCG Opal standard that is used is very difficult to implement correctly. The specification has many requirements, and is rather involved.

An easier standard would help vendors with their implementation and making these implementations more secure. From a security standpoint a reference implementation should be made available publicly, so the security community can look into the design and its implementation. This makes it easier for vendors to implements these encryption schemes.

Our general advice to all users of hardware encryption in SSDs is to not solely rely on hardware encryption as currently offered and take additional measures such as installing the VeraCrypt software encryption.

We've pinged Microsoft, Crucial, and Samsung for comment. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

The bigger they are, the harder they fall: Peak smartphone hits Apple, Samsung the worst

Chinese upstarts fill in the gaps

Koh YEAH! Apple, Samsung finally settle iPhone patent crusade

Judge Lucy is rid of bickering billionaires... for perhaps a week or so, we guess

Sorry, Samsung. Seems nobody is immune to peak smartphone

Chaebol warns operating profit to fall 29%

Fee, Fi, bring your own one... Google opens up Project Fi to mobes built by Apple, LG, Samsung

Beware, some features are missing depending on which smartie you use

No, Samsung, you really do owe Apple $120m for patent infringement

US Supreme Court sends another appeal packing

HP starts slinging Apple hardware, tech support vending machines

Add Macs, iPads and iPhones to Devices-as-a-service offering

Microsoft Windows 10 October update giving HP users BSOD

Updated Auto-updates come with a sting

Finally, someone takes a stand against Apple, Samsung for slowing people's phones. Just a few million dollars, tho

Smartmobe-borking updates make Italians see red

Samsung loses (again) to Apple in patent battle (again). This time to the tune of a mere $539m

정말 짜증난다!

LG folds at prospect of launching bendy phone while Samsung flaunts its upcoming kit on telly

We need to get our house in order first, prez tells press