A critical Hardware Encryption based vulnerability discovered in Widely used storage devices from Samsung & Crucial allow an attacker to bypass the Existing protection mechanism and access the device data.
Millions of devices are using data Storage Devices Manufactured by Samsung & Crucial to store the sensitive data by both individuals and organizations.
Solid-state Storage drives directly manufactured by Samsung Electronics Co. Ltd. and Crucial brand drives made by Micron Technology Inc.
Recent research by Radboud University reveals that these data storage devices with self-encrypting drives do not provide the upto the level of security and attacker could bypass the device security with direct physical access.
Attackers break the security mechanisms from the storage devices and possibly access the data without knowing the device password.
several types of solid-state drives manufactured by Samsung and Crucial are affected by this vulnerabilities.
Aslo This flaw affected in both internal storage devices (in laptops, tablets and computers) and in external storage devices (connected via a USB cable).
Researchers discovered this flaw in hardware encryption mechanism which is having critical security weaknesses that allows attacker access the password protected storage devices.
The issues were found on Crucial SSD models MX100, MX200 and MX300 as well as Samsung’s T3 and T5 portable SSDs and the 840 EVO and 850 EVO SSDs.
Hardware Encryption Failed
Researchers analyzed the storage devices that rely on hardware encryption mechanism by reverse engineering the several firmware and find the flaw called a pattern of critical issues across vendors.
Analyzing results reveal that multiple models can possible to bypass the encryption entirely without knowing the password and key.
Recover the data from the vulnerable storage devices, researchers enable the arbitrary write capability in order to change the MASTER PASSWORD CAPABILITY in RAM.
Arbitrary write capability can be enabled by installing a modified firmware that includes arbitrary read/write capabilities which you can read here research paper Section VI-C.
Once the firmware will completely installed attacker could enable the use its arbitrary write capability in order to write executable code in the device’s address space.
According to the Radboud University Researchers, The code is crafted such that it invokes the VerifyPasswd function with a zero buffer as password, using credential slot 11 and with bExtractRdsKey set to true.
It should overwrite an existing non-critical ATA command handler function, for example, the SMART command handler.
Issuing the corresponding ATA command then executes the code. At this point, the RDS(Relational Database Service) key is extracted and copied to the global RDS key buffer and all protected range keys can be decrypted.
Here researcher finally modify the VerifyPasswd function such that it always returns
SUCCESS, At this point, any password can be used to ‘authenticate’ successfully.
Later we can authenticate to the drive as normal and here password validation checks will not be working and the device will be unlocked using an empty string as the Master Password.
In this case, This flaw will impact more to the Operating systems that only rely on hardware encryption if hardware encryption is supported by the storage device.
Modern operating systems generally offer software encryption for the whole storage and this flaw will not impact much if the Operating systems if it does not perform this switch to hardware encryption. ( BitLocker, the encryption software built into Microsoft Windows helps to switch into hardware encryption which is not recommended to avoid this flaw.)
“Both manufacturers were informed of this security problem in April 2018 by the National Cyber Security Centre (NCSC) of the Netherlands. The university provided details to both manufacturers to enable them to fix their product. The manufacturers will themselves provide detailed information to their customers about the affected models” Researchers said.
Also Read:
DUHK Attack allows Hackers to Recover Encryption Keys and Decrypt Communications Passing Over VPN
.webp "LeSlipFrancais Data Breach: Customers’ Personal Information Exposed")