Researchers find critical leaks and bypass self-encryption feature of popular Crucial and Samsung SSDs

Security researchers from Radboud University in the Netherlands today report they’ve found critical vulnerabilities in self-encrypting SSDs from Samsung and Crucial. The vulnerabilities allow an attacker who gains possession of the drive to bypass security measures. This way the attacker is able to access all data, without knowing the password.

Researchers find critical leaks and bypass self-encryption feature of popular Crucial and Samsung SSDs

The researchers found that the Crucial MX100, Mx200 and MX300 are vulnerable, as well as the Samsung T3, T5 external SSDs and Samsung 840 EVO and 850 EVO interal SSDs. It ‘s very well possible that more drives are vulnerable as well, the researchers note they haven’t tested all drives on the market.

Affected drives all support the TCG Opal standard and due a to a wrong implementation of this standard, the data on these SSDs is not properly secured.

TCG Opal is a set of specifications for features of data storage devices and it also defines a way of encrypting data for self-encrypting SSDs. There are different ways of implementing self-encryption and in case of the vulnerable drives, TCG Opal disk encryption is not properly implemented.

In their report (PDF), the researchers state that the first security issue found in some SSDs is that there is no cryptographic link between the user’s password and the disk encryption key (DEK).

“Obviously, the password should be required in order to obtain the DEK, and this requirement should be cryptographically enforced. Absence of this property is catastrophic. Indeed, the protection of the user data then no longer depends on secrets. All the information required to recover the userdata is stored on the drive itself and can be retrieved. Unfortunately, implementing this properly is not entirely trivial,” the researchers write in their report.

The second problem was found in the wear-leveling functionality of some affected SSDs. Wear-leveling is used to prolong the life of SSDs. Because every write and delete action on NAND flash memory causes the cells to wear out, wear-leveling algorithms are developed that distribute writes as evenly as possible across all flash blocks in SSDs. This should prevent some flash memory blocks to wear out faster than others.

The controller of the SSDs takes care of this, and regularly moves data from one location to another make sure all NAND flash blocks are evenly used. However, the data that is moved, remains available on the old location until it’s overwritten.

That could have a negative effect on security, as the researchers explains their report, “suppose that the disk encryption key (DEK) is stored unprotected, after which a password is set by the end user, replacing the unprotected DEK with an encrypted variant. Due to wear leveling, the new variant can be stored somewhere else within the storage chip and the old location is marked as unused. If not overwritten later by other operations, the unprotected variant of the DEK can still be retrieved.”

Another issue is in the combination of Microsoft Bitlocker with the vulnerable SSDs. BitLocker is a full disk encryption feature included with Windows. When an SSD supports hardware based full-disk encryption, Bitlocker will not perform any other encryption. That means the software exclusively relies on the encryption feature of the SSD, and in case of the vulnerable SSDs, that means there is no additional protection from Bitlocker.

While the Crucial MX100, MX200 and MX300, and the Samsung T3 and T5 are vulnerable in any case, the Samsung 840 EVO and  850 EVO are only vulnerable when ATA security high mode is enabled in the BIOS. When the drive is set in TCG or ATA max mode in the BIOS, these SSDs are not vulnerable.

In April 2018, both Crucial and Samsung were informed about the vulnerabilities. Samsung has posted a statement on its website regarding the issue. For the Samsung 840 EVO and Samsung 850 EVO internal SSDs, the company recommends downloading another type of encryption software. For the external Samsung T3 and T5 drives, the company advises to upgrade the firmware.

Crucial has indicated it intents to release firmware updates, according to the Dutch National Cybersecurity Center.