Radboud University (NL) researchers today announced their discovery that widely used data storage devices with self-encrypting drives do not provide the expected level of data protection. A malicious expert with direct physical access to widely sold storage devices can bypass existing protection mechanisms and access the data without knowing the user-chosen password.
Mounir Hahad, Head of the Juniper Threat Labs at Juniper Networks:
“For most cyber threat activity, the vulnerability of hardware full disk encryption makes no difference to the attack’s success. Typically, remote attacks using malware or hacking require the victim’s computer to be up and running, and disk access is not an issue since the content is already being decrypted by normal operation.
But for attacks where the threat actor has physical access to your drive (or your laptop), as is the case with a hotel room or when you lose your device, this research clearly demonstrates that hardware encryption in the tested models is absolutely not providing the confidentiality and integrity it is supposed to. The models listed out in the research are very popular and, therefore, the attack surface is significant. I suggest that any company that deploys these models in their Windows laptops switches to software encryption immediately and reimages the drives to work around this issue. Switching only to software encryption without reimaging does not provide protection for data previously on the disk.”
Pravin Kothari, CEO at CipherCloud:
“Embedded passwords continue to roll out the red carpet for cyber attackers again and again. According to recent announcements by researchers at Radboud University in the Netherland, solid state drives that are self encrypting (called SEDs) appear to have a substantial security flaw, at least in one vendor’s implementation which they examined closely. The whole idea behind SEDs was to use a hardware based chip which allowed you to set a password that decrypts your data. This avoided the problem of keeping the password resident on the computer to which the SSD was connected and theoretically improved security. SEDs were supposed to be super secure.
But not according to the researchers at Radboud University. Amazingly, and unbelievably, a master password remains active and can be looked up by anyone in the SED manual. How can this be, you ask? Because you must follow an additional administrative procedure to disable the master password.
The chronic problem with embedded or default master passwords manifests itself in many other areas besides SED drives. Master default or embedded passwords are the biggest problem with internet of things (IoT) devices. Only a month or so ago California passed legislation which prohibited default password use in IoT devices beginning in 2020.”