Vulnerabilities in Solid-State Drives Can Be Exploited to Decrypt Data

Researchers at Radboud University discovered vulnerabilities in solid-state drives (SSDs) that can be exploited to decrypt hardware-encrypted data without authentication by modifying the device firmware or using a debugging interface to modify the password validation routine. SSDs from popular vendors Crucial and Samsung were found vulnerable. Additionally, Microsoft’s BitLocker software encryption is also vulnerable as it defaults to hardware encryption if available. Crucial has released firmware updates for their affected SSDs, Samsung has released a notice and firmware updates for some of their affected SSDs, and Microsoft released an advisory with mitigations for BitLocker. The NJCCIC recommends reviewing the report from Radboud University for a list of affected products and vulnerability details, and updating the firmware for impacted SSDs where available.

AdvisoryNJCCICSSD, Samsung, Microsoft