1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Researchers warn of severe SSD security vulnerabilities

Discussion in 'Article Discussion' started by bit-tech, 5 Nov 2018.

  1. bit-tech

    bit-tech Supreme Overlord Staff Administrator

    Joined:
    12 Mar 2001
    Posts:
    1,515
    Likes Received:
    27
    Read more
     
  2. Originality

    Originality New Member

    Joined:
    10 Oct 2018
    Posts:
    1
    Likes Received:
    0
    Wow. This could be huge, especially knowing how many companies rely on the protections of Bitlocker as standard policy.

    But how big is the realistic threat? How easy is it to implement? What measures can be taken to make SSDs safer? Firmware updates, or better hardware?

    Needs more study.
     
  3. Pliqu3011

    Pliqu3011 all flowers in time bend towards the sun

    Joined:
    8 Aug 2009
    Posts:
    2,639
    Likes Received:
    235
    Tiny typo spotted: second author's surname should be "van Gastel" (with -el)
     
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    11,016
    Likes Received:
    1,059
    The paper's pretty detailed in how the attacks work, but they all require physical access - which, given that's exactly the scenario data encryption is supposed to protect against, ain't exactly good.

    Samsung's already released firmware updates for the T3 and T5 - plus the T1, but for some reason you have to talk to support to get that one - which it claims fix the problems, but it recommends that users of its other drives give up on the hardware encryption and use software encryption (after making sure the software encryption is actually software encryption, i.e. don't use BitLocker). Crucial/Micron ain't got back to me yet.
    Hah - years of mentally correcting all the American -el suffixes in press releases to -le has me undone! Fixed now - ta!
     
  5. edzieba

    edzieba Virtual Realist

    Joined:
    14 Jan 2009
    Posts:
    2,674
    Likes Received:
    163
    Presumably Bitlocker could be updated with a blacklist of drives with non-functional encryption and 'failed over' to the software implementation if one is present.
     
  6. z0mijiu0

    z0mijiu0 New Member

    Joined:
    7 Nov 2018
    Posts:
    1
    Likes Received:
    0
    So when you say software encryption you're talking about programs like Veracrypt?

    I noticed that the program has a number of encryption methods so I was wondering about which one would be secure but not effect the read / write speeds too much (i5-7300hq cpu).
     
  7. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    11,016
    Likes Received:
    1,059
    Article updated with Samsung, Micron, and Microsoft statements - the latter including instructions for switching BitLocker from hardware to software encryption (which you can only do via Group Policy changes, annoyingly.)
    Aye, that sort of thing.
    When in doubt, go AES: it's the same algorithm the hardware encryption uses, and modern CPUs include AES acceleration instructions. Handily, Veracrypt has a built-in benchmark - here are the results from a test on my A10-5800K desktop:

    upload_2018-11-9_9-21-31.png

    As you can see, AES is by far and away the fastest algorithm thanks to the acceleration instructions. At 1.4GB/s write and 1.9GB/s read, it's considerably faster than most SSDs - so you shouldn't see an impact, except that it will load the CPU during encryption and decryption operations. In other words, things might be a bit slower.

    The other algorithms are really only there if you don't trust the US Government-approved AES algorithm, and come with considerable performance penalties - especially when you start chaining them, which is what the brackets indicate: AES(Twofish(Serpent)) means data is encrypted first with AES, then the encrypted output encrypted again with Twofish, then the encrypted output encrypted again with Serpent. If there's a flaw or backdoor in any one of the three algorithms, your data is still secure - but you take a major performance hit.
     
Tags: Add Tags

Share This Page