The researchers found that the data encryption keys used to secure data stored on the drives are not derived from the owner’s password and that an attacker with physical access to the drives can reprogram the drives via a debug port to accept any password. Once the drives have been reprogrammed, the SSDs will use the stored Data Encryption Keys to encrypt and decrypt all stored data.
With questions now arising into just how safe hardware encrypted SSDs are, John Michael, CEO, iStorage Limited said: “This is an extremely worrying issue for anyone who has purchased such Self Encrypting SSDs believing that their data is encrypted and secure. According to researchers at Radbound University, the flaws range from very easy to slightly more complicated. ZDNet reported that they found that certain Self Encrypting SSDs come with support for a “master password”, which is written in the manual and can be used to gain access to the user’s encrypted password, effectively bypassing the user’s custom password. The other vulnerability relates to the user-chosen password not being linked to the Data Encryption Key, allowing an attacker to reprogram the drives’ debug port to accept any password and access all data contained therein."
That said, his customers need not be concerned about these flaws being present in iStorage products. iStorage products are not vulnerable to any such attacks reported by the researchers which is probably why he is so happy to talk about it.
So far, a hacking company in China, Golon International, has listed on their website numerous microprocessors which they claim to have hacked. As an example, the Microchip PIC18F26K22, which is used within some so-called secure portable data storage devices is listed as being hacked. The same company attempted to hack the iStorage secure microprocessor and failed, said Michael.
"We strongly recommend that customers ask manufacturers of secure portable data storage devices to disclose which microprocessor is incorporated within their products, and then visit the Golon website to see if such microprocessors are listed as being hacked. If they are, then we strongly recommend that customers steer clear of any products that incorporate such vulnerable microprocessors. This latest vulnerability with Self Encrypting SSDs is an excellent example of why PIN authenticated portable data storage devices which incorporate secure microprocessors, should be chosen over simple password-based and other PIN authenticated drives that use non-secure microprocessors.”