The drives affected by the issues are the Crucial MX100, MX200 and MX300, along with Samsung's T3 and T5 portable SSDs and the 840 EVO and 850 EV internal SATA SSDs. To gain access, the researchers first reverse-engineered their firmware, and found what they called a "pattern of critical issues." One drive could be unlocked with virtually "any password," the researchers said, because the validation system didn't work. Another used an empty string as a password, meaning you could decrypt it just by hitting the "Enter" key.
The problem is bad, but Microsoft made it worse. Bitlocker, which lets you encrypt your files on Windows 10, defaults to the disk's built-in encryption, rather than its own system. That means that if you decided to use Bitlocker for extra safety and owned one of the above-mentioned drives, you could have basically zero protection.
"Several SSDs with hardware encryption appear to be busted," said John Hopkins cryptographer Matthew Green. "But the really terrible thing is that Bitlocker apparently relies totally on the SSD encryption if you have it." On top of that, researchers think Microsoft should have known better, as reports of poor hard disk encryption systems have been circulating for years.
The Dutch researchers also called out drive makers for using proprietary encryption systems when open source ones, like VeraCrypt, are much better. On top of that, modern CPUs are programmed to decode standard AES-NI encryption, so there's no speed advantage to using an SSD's own scheme.
The researchers gave the manufacturers a six month heads up, and both have issued firmware patches to update the reported flaws, where possible. Samsung has advised users to install third-party encryption software rather than its own firmware or Bitlocker. The researchers also called on organizations and consumers who used Bitlocker or the native SSD encryption to take action. At the same time they noted that, predictably, "most consumers haven't done that."