Self-encrypting SSDs vulnerable to encryption bypass attacks

Researchers have discovered security holes in the hardware encryption implementation of several solid state disks (SSDs) manufactured by Crucial (owned by Micron) and Samsung, which could allow attackers to bypass the disk encryption feature and access the data on them without having to know the user’s password.

The findings

Carlo Meijer and Bernard van Gastel from Radboud University have analyzed the security of seven SSD disks by reverse engineering their firmware: Crucial MX100, MX200, and MX300 (internal); Samsung 840 EVO and 850 EVO (internal); and Samsung T3 and T5 (external).

Other similar and newer offerings by those firms might also be vulnerable, but the researchers didn’t test them to confirm. But, as they noted, these two vendors combined produce close to half of the SSDs currently sold, so fixing these flaws is of critical importance.

“(…) CVE-2018-12037 (…) is characterised by the absence of cryptographic binding between the password provided by the end user and the cryptographic key used for the encryption of user data. As such, the confidentiality of the user data does not depend on secrets, and thus can be recovered by an attacker who has code execution on the drive’s controller (achievable through, e.g., JTAG, memory corruption, storage chip contents manipulation, and fault injection),” they explained in a security advisory.

This vulnerability affects all of the aforementioned disks, with the caveat that Samsung 840 EVO and 850 EVO must use ATA security in High mode to be vulnerable to an encryption bypass and data recovery attack.

The second class of vulnerabilities (CVE-2018-12038) arises because key information is stored within a wear-levelled storage chip and not adequately scrubbed from it once the encrypted variant is created, making it accessible to attackers. This vulnerability affects the Samsung 840 EVO.

They also found that BitLocker, which comes bundled with Microsoft Windows, “relies exclusively on hardware full-disk encryption if the drive indicates support for it. Thus, for these drives, data protected by BitLocker is also compromised.”

More details about their approach, discovery and successful attacks can be found in this (draft) paper, but they won’t be releasing an exploitation tool.

What to do?

The researchers have responsibly disclosed their findings to Crucial and Samsung in April 2018.

Samsung has released a consumer notice advising users of their affected portable drives to update the firmware, either by themselves or by technicians at their nearest Samsung Service Center. Users of non-portable disks (in laptops, tablets and computers) must employ software encryption before storing the data on the disks if they want the data to be secure.

“We recommend installing encryption software (freeware available online) that is compatible with your system,” the company advised.

Crucial is yet to officially offer any comment on the findings, event though some users are understandably eager for more details.

“To warrant data confidentiality, we recommend hardware encryption users to employ also a software full-disk encryption solution, preferably an open-source and audited one. In particular, VeraCrypt allows for in-place encryption while the operating system is running, and can co-exist with hardware encryption,” the researchers noted.

“In case users are using BitLocker, a Group Policy setting exists that prevents it from configuring new drives through TCG Opal, and uses software encryption instead. However, this has no effect on already-deployed drives. Only an entirely new installation, including setting the Group Policy correctly and securely erasing the internal drive, enforces software encryption. VeraCrypt can be an alternative solution for these existing installations, as it offers in-place encryptions.”

UPDATE (November 7, 2018):

Microsoft has reacted to the revelations by publishing a security advisory detailing how users can configure BitLocker to enforce software encryption.