Data storage devices from Samsung and others leave customers at risk
Vulnerabilities found in storage drives from Samsung and others allow hackers easy access to customer information.
New research from Radboud University, related to the way the self-storage devices (SSDs) encrypt stored data, found that serious vulnerabilities exist in widely used products from popular manufacturers like Samsung and Crucial (Micron Technology). As these drives do not provide a high level of protection, a malicious expert with direct physical access to them could easily bypass existing security measures to gain access to the data, without knowing the user’s chosen password.
According to the report, the vulnerabilities occur both in internal (laptops, tablets and computers) and in external storage devices (connected via a USB cable).
“The main risk for self-storage device users is the belief that merely using the encryption included with the drives will keep their data safe,” said Luis Corrons, Avast security evangelist. “Unfortunately, that is never the case. These devices are only equipped with a light security layer, and not a reliable one in this particular case.”
Bernard van Gastel, one of the researchers on the report says,”The affected manufacturers were informed six months ago, in line with common professional practices. The results are being made public so users of the affected SSDs can protect their data properly.” Researcher Carlo Meijer, who also contributed to the report, added, “This problem requires action, especially by organizations storing sensitive data on these devices. And also by some consumers who have enabled these data protection mechanisms. But most consumers haven’t done that.”
In response, Samsung has published a consumer notice on the matter. For its portable SSDs, Samsung recommends updating the device’s firmware with a patch. For its nonportable SSDs, Samsung recommends installing encryption software. As well, the Software Engineering Institute CERT center issued Vulnerability Note VU#395981 on this topic.
Self-storage device makers don’t typically tout strong security on their devices. Thus, if you own one or more of these drives, it’s always a safer bet to have your security protection tiered and layered. In the case of the Samsung and Micron devices, it means you should not rely on them to handle authentication, encryption and data storage all on their own. Here are some recommended actions you should take:
- Update your SSD firmware from Samsung or Crucial (Micron).
- Do not rely on hardware encryption alone. As researcher Bernard van Gastel recommends, “take additional measures such as installing the VeraCrypt software encryption.”