cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
userqW8vNpR3Zm
Asteroid

Hardware Encryption on Samsung's (and others companies) SSD's breached

According to this recently published report of Researchers from Radboud University in The Netherlands hackers could easily bypass the encryption on Samsung SSDs without the user’s passwords. They simply reverse engineered the firmware, and modified password validation routine in RAM through JTAG.

Currently I can't see that this issue has been discussed yet in the forum, so I will do that since from Samsung only a small consumer notice has been published which IMHO is not satisfying me. Simply advising to use newest firmware does not convince me due to the fact that since publishing the security breach no new firmware was available addressing this.

The report listed Samsung SSD model's 840 EVO (SATA), 850 EVO (SATA), T3 (USB) and T5 (USB) to be affected but does not rule out other models to be affected too (like the PRO's or the M.2 models) neither Samsung do it in its consumer notice.

Since Crucial models are affected the same way and the kind of vulnerability looks to me that this SED (self encrypted device) thing is broken by design and something has to be done to get my confidence back.

 

In the meantime Microsoft has disabled hardware encryption on default described in its security advisory on Bitlocker

Myself I have Samsung SSD 850 PRO and M.2 960 EVO model. The 850 PRO is in use on my desktop PC with hardware encryption together with a hardware TPM. The M.2 model does not support edrive as boot drive, but that's a different issue (with mainboard BIOS).

I would like to get some concrete and reasonable answers for:

  • Are 850 PRO and 960 EVO affected by the problem too and if not, why not? Do they have different encryption algorithms in their firmware (hardly to believe)?
  • As I understand the problem, usage of TPM does not mitigate the problem since it only deals with authentication. If a faked firmware would be used where any password can be used to decypt the data.
  • Is OPAL and Encrypted Drive affected the same way?
  • Some sources report that ATA Maximum Security Level would migigate the problem, but to my knowledge this is mainly available on notebook BIOS and may not work together with Bitlocker?!
  • What generally is planned to be done to fix the problem? Encrypted data must be safe and immune to hardware hacking. If not, features like self encrypting devices are worthless.

Until then I have no confidence in self encrypted devices and considering the use of software based full disk encryption.

1 REPLY 1
userqW8vNpR3Zm
Asteroid

Re: Hardware Encryption on Samsung's (and others companies) SSD's breached

As I can see, the issue was posted by others too.

But no one cares, neither customers nor Samsung technicians.

Hence, I conclude that hardware encryption of Samsung (and other companies) ssd's should be considered as a failed attempt of digital revolution and should be wiped out from any product sheet. Too bad, it could have been a nice feature.

Reply
Loading...