Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
rcmaehl

Scandalous SSDs! Your NAME BRAND Encrypted SSDs are unlockable using " "

Recommended Posts

Posted · Original PosterOP

Source:

Paper

Medium

 

TL;DR:

Various name brand companies have been found to be lying about full disk encryption, up to easily bypassing using no password.

 

Media:

1_eRlJSyf5_oS73lAytjaPmg.png.880c8000e72958b8fd0b191aac0cd4e7.png

 

Quotes/Excerpts:

Quote

Many companies now use full disk encryption for their computers, especially for laptops on the move. But is it actually robust? Well, not if you read this paper. I cannot even start to explain how bad this discovery is for the industry, and a complete embarrassment for the vendors involved. The lack of integration between vendors seems almost negligent in the extreme. Some SSD drives (including Samsung and Crucial) do not actually encrypt the data properly, and that they can be easily by-passed without a system password. The researchers investigated the MASTER PASSWORD CAPABILITY bit 
in the firmware and which can be set so that a factory-set Master password can unlock the drive. For the Samsung MX300 SSD it was found there was no need to set this bit as it could be reset by decrypting the RDS key. The master password thus protects the main encryption key used for the disk. In the case of the MX300 drive this is “” (an empty string!!!!!!!!!!!!!). Yes … you read that correctly … the password which releases the encryption key for the whole disk is an empty string. If you need to have full disk encryption, and you have an SSD drive, you just cannot trust hardware encryption. At least with software encryption the data is encrypted before it gets anywhere near your disk. A master password of “” (an empty string — or 32 NULL characters) is shocking, and negligence of the highest kind.

 

My Thoughts:

Wow! There may be some fallout larger than 76 this year. This is some EXTREME negligence from name brand companies. Maybe a firmware update will resolve it for SOME drives but very few users know how to do so or that drive firmware updates even exist.


PLEASE QUOTE ME IF YOU ARE REPLYING TO ME
LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites
Posted · Original PosterOP

I made this post on mobile. I'll attempt cleanup on it later this evening. Please excuse any issues.


PLEASE QUOTE ME IF YOU ARE REPLYING TO ME
LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites

So I have an Intel 330 240gb (Sandforce), and a Crucial 250gb MX200 drive.  I've been using Bitlocker, which relies upon the in-drive routines for encryption on the MX200.  The 330 is sitting on the shelf.

The Intel doesn't have built-in encryption.  Any encryption would be derived from the host executing routines.

So basically the moral of the story is that I should probably convert the laptop to the Intel drive, right?  

Link to post
Share on other sites
Guest
This topic is now closed to further replies.


×