Researchers at Radboud University in the Netherlands have discovered that popular SSDs featuring self-encrypting technology do not provide the expected level of data protection.

A malicious expert with direct physical access to widely sold storage devices can bypass existing protection mechanisms and access the data without knowing the user-chosen password, the researchers said.

These flaws exist in the encryption mechanism of several types of solid state drives of two major manufacturers, namely Samsung and Crucial. The vulnerabilities occur both in internal storage devices (in laptops, tablets and computers) and in external storage devices (connected via a USB cable). The storage devices affected include popular models that are currently widely available.

The researchers say that if sensitive data needs to be protected, it is in advisable to use software encryption and not rely solely on hardware encryption. On computers running Windows, BitLocker provides software encryption, and data may not be secure.

The researchers identified these security issues using public information and SSDs. Although it is quite difficult to discover these problems from scratch, once the nature of the issues is known, there is a risk that the exploitation of these flaws will be automated by others, making abuse easier. The researchers at Radboud University of course will not release such an exploitation tool.

The models for which vulnerabilities have actually been demonstrated in practice are:

• Crucial (Micron) MX100, MX200 and MX300 internal disks;
• Samsung T3 and T5 USB external disks;
• Samsung 840 EVO and 850 EVO internal disks.

On computers running Windows, a software component called BitLocker handles the encryption of the computer's data. In Windows, the kind of encryption that BitLocker uses (i.e. hardware encryption or software encryption) is set via the Group Policy. If available, standard hardware encryption is used. For the affected models, the default setting must be changed so that only software encryption is used. This change does not solve the problem immediately, because it does not re-encrypt existing data. Only a completely new installation, including reformatting the internal drive, will enforce software encryption. As an alternative to reinstallation, the VeraCrypt software package can be used.

Both manufacturers were informed of this security problem in April 2018 by the National Cyber Security Centre (NCSC) of the Netherlands. The university provided details to both manufacturers to enable them to fix their product. The manufacturers will provide detailed information to their customers about the affected models.

For non-portable Samsung SSDs, Samsung recommends installing encryption software (freeware available online). For portable SSDs, the company recommends updating the firmware on the SSDs.

There is no official response from Micron/ Crucial yet.