Vulnerabilities in the way security is applied to solid-state drives manufactured by Samsung Electronics Co. Ltd. and Crucial brand drives made by Micron Technology Inc. allow hackers to easy access the drives according to a report published today.

The findings, detailed by researchers Carlo Meijer and Bernard van Gastel from Radboud University, relate to the way the SSDs self-encrypt stored data.

By reverse engineering the firmware on the devices, the researchers found a “pattern of critical issues,” including that the master password used in the encryption process was just an empty string, meaning a hacker would simply have to hit enter to access the drive. If that isn’t bad enough, another cited example involves the password validation checks not working meaning that hackers would use any password they wanted and still gain access.

The issues were found on Crucial SSD models MX100, MX200 and MX300 as well as Samsung’s T3 and T5 portable SSDs and the 840 EVO and 850 EVO SSDs, though the researchers note that it’s likely to affect other models as well because the issue relates to the firmware used by the companies.

“The affected manufacturers were informed six months ago, in line with common professional practices,” the researcher noted. “The results are being made public today so that users of the affected SSDs can protect their data properly. This problem requires action, especially by organizations storing sensitive data on these devices. And also by some consumers who have enabled these data protection mechanisms. But most consumers haven’t done that.”

Craig Young, computer security researcher for Tripwire Inc.’s Vulnerability and Exposure Research Team, told SiliconANGLE that calling these devices encrypted is massively misleading and that expecting a hard drive maker to provide meaningful security of the data it stores is “like letting the lunatics run the asylum.”

“The best security protections are tiered and layered and in this case, and that means not relying on the drive to handle authentication, encryption and data storage all on its own,” Young said. “Anyone concerned by this research should confirm that their data is encrypted by a separate system, such as BitLocker for Windows and LUKS for Linux.”

Image: Samsung