Hardware encryption bypass on MX100, MX200 and MX300 SSDs

Crucial Employee

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

Hello,

 

Thank you for contacting us. The MX500 is not affected by the vulnerability in the news lately. 





Crucial_AgentC, Micron CPG Support, US


How do I know what memory to buy?
Shop for your region: US | UK | EU | France | Global
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
We want your feedback! Post in the Suggestion Box
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?
Highlighted
mev
Kilobyte Kid

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

@Crucial_AgentC

 

As a former embedded developer, I find this vulnerability extremely suspicious. It looks to me very much like a deliberately-written backdoor.

 

Would I be correct in presuming that the firmware in the vulnerable drives were originally written by the controller vendor (Marvell in this case, I believe) and then customised by Micron?

 

Has the firmware in your drives ever had a security audit? Does Micron have any plans to have their firmware audited for security issues in the future?

Kilobyte Kid

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

Yes, it really looks like a deliberate backdoor.

Hard to imagine an engineer skilled enough to implement a complex system as Opal Tcg would compare two passwords to grant access instead of using the password to decrypt DEK (Drive Encryption Key).

 

But we will never know how this really happened, could still be a mistake.

 

Sorry for any mistakes. English is not my native language

Lee
Kilobyte Kid

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

@Crucial_AgentC
No answer on my easy questions?
Kilobyte Kid

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

On twitter on of the authors of https://www.ru.nl/publish/pages/909275/draft-paper_1.pdf wrote

 

Bernard van Gastel @bvgastel 23h23 hours ago

 
 

About that SSD research we did: we sort of stumbled into it. Just by being curious how SSDs would work, as a hobby project for off hours. We assumed nothing, and tested every assumption. Then one evening we discussed encryption, while riding our bikes, and 15 min later we were in

Crucial Employee

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

Thank you for your question. The response given by @bogdan was correct, the MU05 firmware for the MX200 and the MU03 for the MX100 in May of 2018. This is the latest update and contains the fix for the vulnerability. 





Crucial_AgentC, Micron CPG Support, US


How do I know what memory to buy?
Shop for your region: US | UK | EU | France | Global
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
We want your feedback! Post in the Suggestion Box
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?
Kilobyte Kid

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

Hello ,

 

Update MU05 preserved both data and password.
Could you please explain how it is possible to create linkage between password and DEK (Drive Encryption Key) without erasing the drive and setting a new password ?

 

Sorry for any mistakes. English is not my native language.

Crucial Employee

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

Firmware updates to resolve potential security vulnerabilities are in development and will be available soon. Please check back towards the end of November for updates to the MX300 firmware.





Crucial_Benny, Micron CPG Support, US


How do I know what memory to buy?
Shop for your region: US | UK | EU | France | Global
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
We want your feedback! Post in the Suggestion Box
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?
Kilobyte Kid

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

Repeating what bodgan asked, is the M500 and M550 is also affected?  Most likely considering the MX100, MX200 and MX300's firmware were derived from the 2 earlier drives and all use Marvell based controllers.

 

Will the M500 and M500 get security fixes?

Crucial Employee

Re: Hardware encryption bypass on MX100, MX200 and MX300 SSDs

@Guest2 only the MX100, MX200, and MX300 were effected by this. Firmware updates were rolled out for the MX100 and MX200 in May, so as long as you have the most recent firmware on those drives they are secure. The MX300 is last drive waiting on the update. This issue does not effect the current line of drives, including the MX500.





Crucial_Benny, Micron CPG Support, US


How do I know what memory to buy?
Shop for your region: US | UK | EU | France | Global
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
We want your feedback! Post in the Suggestion Box
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?