Carlo Meijer and Bernard van Gastel, two researchers at Radboud University in the Netherlands issued a warning that hardware encryption in various models of Solid State Drives (SSDs) are not secure. The vulnerabilities only affected “ATA security” and “TCG Opal hardware-based encryption on SEDs. Furthermore, it affected the hardware-based encrypted SSD models with a local built-in chip, separate from the main CPU.
The researchers examined multiple SSDs, including Crucial and Samsung, some of which they found could be unlocked with any password if the password validation routine in RAM was modified through a standard JTAG debugging interface.
The two stated that the SEDs they’ve analyzed, allowed users to set a password that decrypted their data, but also came with support for a so-called “master password” that was set by the SED vendor.
“Any attacker who read an SED’s manual can use this master password to gain access to the user’s encrypted password, effectively bypassing the user’s custom password”.
Other issues are detailed in the researchers’ paper, titled “Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs),” which can be downloaded in PDF format from here.
Due to limited access to SSDs, Meijer and van Gastel said they’ve only tested their findings on a small number of devices, listed in the table below, but found that all were vulnerable.
Both Crucial and Samsung whose products they’ve tested have released firmware updates to address the reported flaws.