Security Update:Researchers have identified flaws in the hardware-based encryption of Solid State Drives (SSDs) made by Samsung and Crucial
Date and Time
Samsung and Crucial SSDs users
Researchers at Radboud University in the Netherlands have identified several flaws in the hardware-based encryption of Solid State Drives (SSDs) made by Samsung and Crucial. These flaws can allow access to encrypted data without authorization. The default behavior of Microsoft’s BitLocker encryption does NOT protect against this vulnerability. Computers with the affected drives - using SSD hardware-based encryption or BitLocker - will need to take action to protect their data.
For a description of the vulnerabilities and affected systems, visit:
- CERT Vulnerability Note VU#395981
- Radboud University researchers discover security flaws in widely used data storage devices
- Crucial SSD Support
- Samsung Consumer Notice regarding Samsung SSDs
- Microsoft Security Advisory ADV180028: Guidance for configuring BitLocker to enforce software encryption
Please note that this is not an all-inclusive list of affected systems. Contact your vendor(s) to determine if this vulnerability affects your system(s) and to obtain updates for your products or recommendations for mitigating this vulnerability.
Affected models include, but are not limited to:
- Crucial MX100, MX200, and MX300 internal solid state disks
- Samsung T1, T3, and T5 USB external solid state disks
- Samsung 840 EVO and 850 EVO internal solid state disks
- Other drive models with hardware-based encryption from these or other manufacturers may also be affected, but this has not been yet been demonstrated or announced.
Users who have an affected drive model but are using DDPE from UCSF to encrypt that drive are NOT susceptible to this vulnerability.
WHAT’S THE PROBLEM?
An attacker with physical access to an affected encrypted drive could gain unauthorized and complete access to encrypted data. Microsoft BitLocker encryption provides no additional protection to encrypted data on affected drives when using the default settings in Windows 8.1, 10, Server 2012, Server 2016, or Server 2019.
WHAT DO I NEED TO DO?
1.Determine if Your Computer is Affected
Users who have an affected drive model but are using DDPE from UCSF are NOT susceptible to this vulnerability.
If you are using BitLocker encryption on a Windows computer, you should apply firmware updates for your drive as available and also determine if BitLocker is using hardware-based or software-based encryption.
To determine whether BitLocker is using hardware-based encryption or software-based encryption:
- Run "manage-bde.exe -status" in an administrator command prompt.
- If the "Encryption Method" starts with "Hardware Encryption", then BitLocker is using the drive’s hardware-based encryption. You will need to take additional action to secure your data. These steps are detailed below.
- If the "Encryption Method" states something other than "Hardware Encryption", such as "AES-128" or "XTS AES-256 with Diffuser", then BitLocker is using software-based encryption and you do not need to take additional action.
2.Update Your Drive Firmware
UCSF recommends making a full backup of all data on a drive before updating firmware.
Crucial already released firmware updates for MX100 and MX200 drives in May 2018. A firmware update for MX300 drives is expected to be available after November 13, 2018 to address this vulnerability. Contact Crucial support for more information at http://www.crucial.com/usa/en/support-ssd
Samsung has recommended that users with external SSDs (such as the T1, T3, and T5 products) should update the firmware on these products. For more details, see: https://www.samsung.com/semiconductor/minisite/ssd/support/consumer-notice/ . You may also be able to use software-based encryption products on these drives to encrypt data.
Samsung has not indicated that they will release a firmware update for 840 EVO and 850 EVO internal SSDs; users of these drives will need to switch to a software-based encryption method as detailed below.
3.Switch to Software-Based Encryption
If you are using hardware-based disk encryption on a non-Windows computer, apply firmware updates as available and/or switch to software-based encryption. As a reminder, any device used for UCSF work or study must be encrypted to comply with the UCSF Minimum Security Standard (http://tiny.ucsf.edu/mss).
Samsung has recommended that users with internal SSDs install and use software-based encryption to encrypt data on their drives.
UCSF recommends that users with internal Samsung SSDs using either hardware-based encryption and/or BitLocker should:
- Make a full backup of all data on the drive
- Decrypt BitLocker and any hardware-based encryption on the drive
- If you plan on using BitLocker to encrypt again, you must disable hardware-based encryption for BitLocker. This step requires editing local Group Policy on Windows and should not be done lightly. You do not need to perform this step if you use a software-based encryption product such as DDPE instead of BitLocker.
Edit local Group Policy to disable hardware-based encryption for BitLocker as described at:
WARNING: Serious problems may occur if you edit Group Policy settings incorrectly or edit Group Policy settings other than the one specified. These problems may require that you reinstall Windows and/or may carry serious and non-obvious negative implications for the usability, confidentiality, availability, and integrity of your computer and data. There is no guarantee that these problems can be diagnosed or solved in a timely manner.
Edit Group Policy at your own risk.
UCSF IT Field Services and the UCSF IT Service Desk may not be able to assist you with editing Group Policy settings on BYOD or unsupported computers.
- Re-encrypt the drive with BitLocker OR
Re-encrypt the system using a software-based encryption product such as DDPE.
DDPE is available for free to the UCSF community at https://software.ucsf.edu and support for it is available 24/7 via the IT Service Desk at http://help.ucsf.edu or at 415-514-4100.
Other software-based encryption products can also be used to secure data.
- IT Security at https://it.ucsf.edu/security
- How to Encrypt Your Computer at https://it.ucsf.edu/encrypt
- Dell Data Protection (DDPE) at https://it.ucsf.edu/services/dell-data-protection-encryption-ddpe