Radboud University (NL) researchers today announced their discovery that widely used data storage devices with self-encrypting drives do not provide the expected level of data protection. A malicious expert with direct physical access to widely sold storage devices can bypass existing protection mechanisms and access the data without knowing the user-chosen password.
Mounir Hahad, Head of the Juniper Threat Labs at Juniper Networks:
But for attacks where the threat actor has physical access to your drive (or your laptop), as is the case with a hotel room or when you lose your device, this research clearly demonstrates that hardware encryption in the tested models is absolutely not providing the confidentiality and integrity it is supposed to. The models listed out in the research are very popular and, therefore, the attack surface is significant. I suggest that any company that deploys these models in their Windows laptops switches to software encryption immediately and reimages the drives to work around this issue. Switching only to software encryption without reimaging does not provide protection for data previously on the disk.”
Pravin Kothari, CEO at CipherCloud:
But not according to the researchers at Radboud University. Amazingly, and unbelievably, a master password remains active and can be looked up by anyone in the SED manual. How can this be, you ask? Because you must follow an additional administrative procedure to disable the master password.
The chronic problem with embedded or default master passwords manifests itself in many other areas besides SED drives. Master default or embedded passwords are the biggest problem with internet of things (IoT) devices. Only a month or so ago California passed legislation which prohibited default password use in IoT devices beginning in 2020.”