Researchers at Radboud University in the Netherlands have found vulnerabilities in certain solid-state drives (SSDs) that allow hackers to circumvent disk encryption and access local data without knowing the disk encryption password.
The vulnerabilities only impact SSD models that support hardware-based encryption, or self-encrypting drives (SEDs).
The firmware weaknesses affect ATA security and TCG Opal, two specifications for deployment of hardware-based encryption on SEDs.
Analysis revealed the SEDs permitted users to set an encryption password, but also came with support for a vendor-established "master password," which attackers can use to access the user's encrypted password.
Also, improper implementations of the ATA security and TCG Opal specifications mean the user-chosen password and the actual disk encryption key (DEK) lack a cryptographical connection, an oversight the researchers deemed "catastrophic."
View Full Article
Abstracts Copyright © 2018 Information Inc., Bethesda, Maryland, USA