Self-Encrypting SSDs Let Attackers Decrypt Data
Security researchers have discovered multiple critical vulnerabilities in some of the popular self-encrypting solid state drives (SSD) that could allow an attacker to decrypt disk encryption and recover protected data without knowing the password for the disk. The researchers—Carlo Meijer and Bernard van Gastel—at Radboud University in the Netherlands reverse engineered the firmware several SSDs that offer hardware full-disk encryption to identify several issues and detailed their findings in a new paper (PDF) published Monday
The duo successfully tested their attack against three Crucial models of SSDs—Crucial MX100, MX200, and MX300—and four Samsung SSDs—840 EVO, 850 EVO, T3 Portable, and T5 Portable drives and found at least one critical flaw that breaks the encryption scheme. But researchers warned that many other SSDs may also be at risk.
Don’t Trust BitLocker to Encrypt Your SSD
What’s more? Since Windows’ built-in BitLocker full-disk encryption software by default uses hardware-based encryption if available, instead of its own software-based encryption algorithms, Windows users relying on BitLocker and using vulnerable drives remain exposed to above-mentioned vulnerabilities.