Hardware encryption bypass on MX100, MX200 and MX300 SSDs

Kilobyte Kid

Hardware encryption bypass on MX100, MX200 and MX300 SSDs

A paper has been published that details how to bypass hardware encryption on Crucial MX100, MX200 and MX300 SSDs: https://www.ru.nl/publish/pages/909275/draft-paper_1.pdf

Can we expect a firmware fix for this?

36 Replies
Kilobyte Kid

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

The ZDNet article says the vulnerabilities were found in April, and "both SSD vendors whose products they've tested... have released firmware updates to address the reported flaws", but it would be good to get a clear answer from the horse's mouth.

 

I'd very much like to know if it affects the MX500 as well, since the researchers didn't look at current drives. I specifically bought a few MX500s due to the SED capability, so I'll be quite grumpy if I have to go back to software encryption and take the performance hit.

JEDEC Jedi

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs


@hoodoo wrote:

I'd very much like to know if it affects the MX500 as well

Oh my... This news is not good at all.

I would like to know if it affects older models M500 and M550 as well. I use this feature on those drives and it is very likely they are affected too.

 

Firmware update notes say:

Firmware revisions MU05 for the MX200 (all form factors) and MU03 for the MX100 (all form factors)

Release Date: 5/25/2018 (both updates)

  • Resolves security vulnerability

There is no such information for MX300!

Crucial Employee

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

Micron is aware of the Radboud University researchers’ report describing a potential security vulnerability in its Crucial MX100, MX200 and MX300 products.  This vulnerability can only be exploited by an individual who is able to remove the drive from the system, has the relevant equipment, as well as knowledge of the drive’s electrical and firmware functionality.

 

Micron has developed firmware patches to address vulnerabilities in the MX100, MX200 and MX300 products.  The MX100 and MX200 firmware updates are available today on crucial.com.  The ETA for the MX300 firmware is planned for November 13, 2018.

 

Micron is committed to conducting business with integrity and accountability, which includes delivering best-in-class product quality, security, and customer support.

Kilobyte Kid

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs


@Crucial_AgentC wrote:

Micron has developed firmware patches to address vulnerabilities in the MX100, MX200 and MX300 products.


Hi @Crucial_AgentC, thank you for your comment. These are serious vulnerabilities.

 

Please can you confirm which existing (or upcoming) firmware versions contain the relevant fixes for:

  • MX100
  • MX200
  • MX300

Can you please also confirm whether or not the MX500 is affected by any of the vulnerabilities highlighted in the Radboud research (as it was not included in their analysis), and if so, the relevant firmware version for that model as well?

 

Thank you.

 

Highlighted
JEDEC Jedi

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs


@djcater wrote:

Can you please also confirm whether or not the MX500 is affected by any of the vulnerabilities highlighted in the Radboud research (as it was not included in their analysis), and if so, the relevant firmware version for that model as well?

 


The MX500 isn't affected. Smiley Happy

Kilobyte Kid

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs


@targetbsp wrote:


The MX500 isn't affected. Smiley Happy


Thanks for your comment @targetbsp.

 

How do you know that the MX500 isn't affected please?

JEDEC Jedi

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs


@djcater wrote:

@targetbsp wrote:


The MX500 isn't affected. Smiley Happy


Thanks for your comment @targetbsp.

 

How do you know that the MX500 isn't affected please?


Bogdan asked in the private forum for super users ( https://forums.crucial.com/t5/Forum-Rules-Guidelines/Crucial-Super-User-Program/td-p/180442 ) and they replied that it is unaffected.  It uses an entirely different brand of drive controller to the previous MX drives so that may be why?

Lee
Kilobyte Kid

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

I can't find the link to the patch for the mx100 and mx200?
JEDEC Jedi

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs