- Analytics
- Big Data
- Case Studies
- Datacentre
- Cloud
- eGov
- IoT
- IT Infra
- Leadership
- Mobile/Social
- Mobility
- Security
- Storage
- Miscellaneous
- Insights
- Digital Transformation
- Blockchain
- Workplace
- Collaboration
- Developer
- Digital India
- Infrastructure
- Networking
- Software Defined
- Telecom
- Semiconductor
- Networking
- AI / ML / BOTS
- BPO/BPM/IT Services
- Blockchain
- Security
- Insights
- Leadership
- Miscellaneous
- Enterprise Applications
- FinTech
- Innovation
- Developer
- AI/Bots/ML
Flaws in major Encrypting SSDs allow Attackers to Bypass Encryption and Decrypt Data
iStorage products are not vulnerable to any such attacks reported by the researchers
Researchers at Radbound University in the Netherlands revealed that major flaws in some Solid State Drives (SSDs) allow an attacker to bypass the password-based authentication process and access encrypted data stored on the drives.
The researchers found that the data encryption keys used to secure data stored on the drives are not derived from the owner’s password, and that an attacker with physical access to the drives can reprogram the drives via a debug port in order to accept any password. Once the drives have been reprogrammed, the SSDs will use the stored Data Encryption Keys to encrypt and decrypt all stored data.
With questions now arising into just how safe hardware encrypted SSDs are, John Michael, CEO, iStorage Ltd, stated: “This is an extremely worrying issue for anyone who has purchased such Self Encrypting SSDs believing that their data is encrypted and secure. According to researchers at Radbound University, the flaws range from very easy to slightly more complicated.
"ZDnet reported that they found that certain Self Encrypting SSDs come with support for a “master password”, which is written in the manual and can be used to gain access to the user’s encrypted password, effectively bypassing the user’s custom password. The other vulnerability relates to the user-chosen password not being linked to the Data Encryption Key, allowing an attacker to reprogram the drives’ debug port in order to accept any password and access all data contained therein.
"Our customers need not be concerned about these flaws being present in iStorage products. iStorage products are not vulnerable to any such attacks reported by the researchers. The iStorage generated Data Encryption Key, in very simple terms, is derived from the PIN that is configured and entered by the user on the onboard keypad. In addition, they incorporate a lock-down feature which prevents any attacker from reprogramming our firmware.
"Furthermore, the iStorage Common Criteria EAL4+ ready microprocessor, employs a flash lock mechanism that ensures the product constantly remains in a mode where all write-access to program memory is denied."
Unlike other similar so-called password-based and PIN authenticated products, iStorage products such as the diskAshur, diskAshur PRO and diskAshur DT incorporate a secure microprocessor with no debug ports, essentially preventing attackers from modifying the firmware.
