Firmware updates won’t address the problem, so admins need to take other action.
Self-encrypting solid-state storage drives from Samsung and Crucial are open to tampering that would allow an attacker with physical access to harvest their data without knowing the user’s password, researchers have discovered.
Researchers at Radboud University in the Netherlands found that it’s possible to bypass existing protection mechanisms and access the data without knowing the user’s password. The issue affects both internal storage devices (in laptops, tablets and computers) and external storage devices (connected via a USB cable), across Mac, Linux and Windows systems.
There are two classes of vulnerabilities, both stemming from the use of the TCG Opalencryption standard. The first (CVE-2018-12037) has to do with the absence of cryptographic binding between the password provided by the end user and the cryptographic key used for the encryption of user data.
“As such, the confidentiality of the user data does not depend on secrets, and thus can be recovered by an attacker who has code execution on the drive’s controller (achievable through, e.g. JTAG, memory corruption, storage chip contents manipulation, and fault injection),” the researchers explained in their advisory [PDF], published Monday.