Sunday, July 14, 2024

Samsung & Crucial Storage Device Vulnerability Allow Attackers to Break the Password & Access the Entire Device Data

A critical Hardware Encryption based vulnerability discovered in Widely used storage devices from Samsung & Crucial allow an attacker to bypass the Existing protection mechanism and access the device data.

Millions of devices are using data Storage Devices Manufactured by Samsung & Crucial to store the sensitive data by both individuals and organizations.

Solid-state Storage drives directly manufactured by Samsung Electronics Co. Ltd. and Crucial brand drives made by Micron Technology Inc.

Recent research by Radboud University reveals that these data storage devices with self-encrypting drives do not provide the upto the level of security and attacker could bypass the device security with direct physical access.

Attackers break the security mechanisms from the storage devices and possibly access the data without knowing the device password.

several types of solid-state drives manufactured by Samsung and Crucial are affected by this vulnerabilities.

Aslo This flaw affected in both internal storage devices (in laptops, tablets and computers) and in external storage devices (connected via a USB cable).

Researchers discovered this flaw in hardware encryption mechanism which is having critical security weaknesses that allows attacker access the password protected storage devices.

The issues were found on Crucial SSD models MX100, MX200 and MX300 as well as Samsung’s T3 and T5 portable SSDs and the 840 EVO and 850 EVO SSDs.

Hardware Encryption Failed

Researchers analyzed the storage devices that rely on hardware encryption mechanism by reverse engineering the several firmware and find the flaw called a pattern of critical issues across vendors.

Analyzing results reveal that multiple models can possible to bypass the encryption entirely without knowing the password and key.

Recover the data from the vulnerable storage devices, researchers enable the arbitrary write capability in order to change the MASTER PASSWORD CAPABILITY in RAM.

Arbitrary write capability can be enabled by installing a modified firmware that includes arbitrary read/write capabilities which you can read here research paper Section VI-C.

Once the firmware will completely installed attacker could enable the use its arbitrary write capability in order to write executable code in the device’s address space.

According to the Radboud University Researchers, The code is crafted such that it invokes the VerifyPasswd function with a zero buffer as password, using credential slot 11 and with bExtractRdsKey set to true.
It should overwrite an existing non-critical ATA command handler function, for example, the SMART command handler.
Issuing the corresponding ATA command then executes the code. At this point, the RDS(Relational Database Service) key is extracted and copied to the global RDS key buffer and all protected range keys can be decrypted.

Here researcher finally modify the VerifyPasswd function such that it always returns
SUCCESS, At this point, any password can be used to ‘authenticate’ successfully.

Later we can authenticate to the drive as normal and here password validation checks will not be working and the device will be unlocked using an empty string as the Master Password.

In this case, This flaw will impact more to the Operating systems that only rely on hardware encryption if hardware encryption is supported by the storage device.

Modern operating systems generally offer software encryption for the whole storage and this flaw will not impact much if the Operating systems if it does not perform this switch to hardware encryption. ( BitLocker, the encryption software built into Microsoft Windows helps to switch into hardware encryption which is not recommended to avoid this flaw.)

“Both manufacturers were informed of this security problem in April 2018 by the National Cyber Security Centre (NCSC) of the Netherlands. The university provided details to both manufacturers to enable them to fix their product. The manufacturers will themselves provide detailed information to their customers about the affected models” Researchers said.

Also Read:

Cold Boot Attacks – Hackers Can Unlock All the Modern Computers and Steal Encryption Keys & Passwords

New Bluetooth Vulnerability Affected Millions of Devices that Allow Hackers to Steal the Encryption key

DUHK Attack allows Hackers to Recover Encryption Keys and Decrypt Communications Passing Over VPN


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles