Researchers from the Netherlands's Radboud University have discovered that quite a few manufacturers of SSDs that provide hardware encryption have been implemented superficially.
They found hardware firmware for a number of SSD devices (in total today's SSD is about 50%) and found that hackers can read content on hard drives without signing any type of password or encryption key. They claim that one disk content was disabled by "any password" because the verification system did not work at all, but on the other by entering an empty password, so it was only necessary to press the Enter key.
The following insecure SSDs are clearly listed in the Crucial (Micron) MX100, MX200, MX300, Samsung T3 and T5 external USB drives as well as the Samsung 840 EVO and 850 EVO in the report.
The story is not over yet – it continues with Microsoft and its disk encryption Bitlocker, which is part of Windows (including Windows Server). If the user (or company system administrator) decides to encrypt the drive with BitClocker, it checks if the SSD is available with hardware encryption and is automatically used. Bitlocker encryption in this case automatically becomes an "SSD disk encryption", which, as we have already written, sucked.
Microsoft has already issued a security alert in this direction recommending that you use the Windows Group Policy to select the Bitlocker encryption program. In fact, the correct procedure is much more complicated because the disk will first be decrypted, the group policy must be changed in order to encrypt and then encrypt it.
Dutch scientists have warned the SSD about an error message a few months ago, and at that point they also have access to a software update if it is possible. They also recommend that instead of producing locked-out products, such as Bitlocker, we want, for example, to use open-source products such as VeraCrypt.
Subscribe to regular weekly or monthly announcements for new posts on our site!