[ad_1]
Researchers at Radboud University have discovered critical security flaws in several Crucial and Samsung solid state drives (SSDs), which could be easily exploited to recover encrypted data without knowing the password.
The researchers, who detailed their findings in a new document released Monday, reverse-engineer the firmware of several drives to determine a "set of critical issues" among different manufacturers.
In the case of a reader, the main password used to decrypt the reader data was simply an empty string and could easily be exploited by returning a bit to the reader's memory. Another drive could be unlocked with "any password" by making the drive password validation checks stun.
It would not be a problem if an affected reader also used software encryption to secure their data. However, researchers have found that in the case of Windows computers, the default strategy for BitLocker-based software-based encryption is to trust the reader. It relies entirely on hardware encryption of the device to protect the data. However, as the researchers found, if hardware encryption is problematic, BitLocker does not do much to prevent data theft.
In other words, users "should not rely solely on the hardware encryption offered by SSDs for confidentiality purposes," the researchers said.
Alan Woodward, a professor at the University of Surrey, said the biggest risk to users is the security of the "failing in silence" drive.
"You may think that you made the right choice by activating BitLocker, but a third-party foul undermines your security, but you never know and never will," he said.
Matthew Green, professor of cryptography at Johns Hopkins, described the BitLocker flaw. in a tweet like "like jumping from an airplane with an umbrella instead of a parachute."
The researchers said their findings were not yet finalized – pending a peer review. But the research was made public after revealing the bugs to record makers in April.
Crucial's MX100, MX200 and MX300, Samsung's T3 and T5 USB external drives and the Samsung 840 EVO and 850 EVO's internal hard drives are known to be affected, but researchers have warned that many other drives could also to be in danger.
The researchers have criticized the exclusive and closed source cryptography of device manufacturers, claiming – and proving – that they are often "much weaker in practice" than their open source, verifiable cryptographic libraries. "Manufacturers who take security seriously should publish their cryptography schemes and the corresponding code so that security claims can be independently verified," they wrote.
Researchers recommend the use of software encryption, such as the open source software VeraCrypt.
In a notice, Samsung also recommended users to install encryption software to prevent any "potential violation of self-encrypting SSDs". The owner of Crucial, Micron, would have a solution, according to an opinion from the National Cybersecurity Center of the Netherlands. but did not say when.
Micron did not immediately respond to a request for comment.
[ad_2]
Source link