MacInTouch Amazon link...

SSD, Fusion and flash drives

Channels
Security, Products

Ric Ford

MacInTouch
Just some clarification for people confused (as I was) by the insanity of USB naming...
"USB 3.1 Gen 1" is exactly the same thing as "USB 3.0" (5 Gbps)​
"USB 3.2 Gen 2" is exactly the same thing as "USB 3.1 Gen 2" (10 Gbps)​
"USB 3.2 Gen 2x2" is a new, 20Gbps version. (I don't know of any products using it yet, and it needs special hardware on both ends of the connection to work at 20 Gbps.)​
 


Ric Ford

MacInTouch
Found the manual on Samsung's semiconductor site (the US computer accessory site doesn't have it)....
Thank you very much for that link. Here's one problem noted in the manual that looks like a PITA for me personally, as I use the SATSMART driver extensively to keep tabs on SMART reliability data for external drives (e.g. USB backup drives):
Samsung said:
Samsung Portable SSD T7 Touch | Samsung External Storage

“Samsung Portable SSD” driver and some of 3rd party drivers, including SATSMART driver are mutually exclusive
. If you wish to work with SATSMARTDriver, please remove Samsung Portable SSD driver and install SATSMARTDriver as following instruction.

* When both Samsung Portable SSD Driver and SATSMARTDriver are installed and conflict is detected, the instructions like the following will be available:

How to remove Samsung Portable SSD Driver and install SATSMARTDriver
#sudo kextunload /Library/Extensions/SamsungPortableSSDDriver.kext
#sudo kextload /Library/Extensions/SATSMARTDriver.kext


How to remove SATSMARTDriver and install SamsungPortableSSDDriver
#sudo kextunload /System/Library/Extensions/SATSMARTDriver.kext
#sudo kextload /Library/Extensions/SamsungPortableSSDDriver.kext
 


I would appreciate any thoughts or opinions on the viability of using the new Samsung T7 Touch as a MacBook Pro bootable startup disk to run a complete set of macOS, applications, and user account. The goal would be to have a self-contained secure work environment independent of the MacBook hardware. Thanks in advance...
P.S. Would it make any difference to use Mojave for the T7 Touch bootable OS vs. Catalina? (The MacBook Pro is currently running Sierra.)
Why is the T7 Touch useful for an individual user? It seems to me that using the macOS encryption would be equally secure and lot easier to use during the boot process. I would guess that the fingerprint is useful if your computer is stolen while logged in or hacked without the T7 not mounted.
 


Just some clarification for people confused (as I was) by the insanity of USB naming...
"USB 3.1 Gen 1" is exactly the same thing as "USB 3.0" (5 Gbps)​
"USB 3.2 Gen 2" is exactly the same thing as "USB 3.1 Gen 2" (10 Gbps)​
"USB 3.2 Gen 2x2" is a new, 20Gbps version. I don't know of any products using it yet, and it needs special hardware on both ends of the connection to work (at 20 Gbps).​
Both the Microsoft Surface Pro X and Surface Laptop 3's USB-C port support USB 3.2 Gen 2x2 [see below].

I wonder if that new drive you got there, Ric, supports the same?
 





Ric Ford

MacInTouch
I received the 1TB Samsung Portable SSD T7 Touch today that I had ordered from Amazon, and I'm starting to evaluate it. A few initial notes...
I'm posting Samsung T7 Touch test results in the benchmarks topic.
I've now taken the next steps:
  1. I ran the Samsung installer (on a plain vanilla macOS Mojave clone). It required a restart on completion.
  2. I then ran the Samsung app and used it to check for updates – none found.
  3. With the T7 Touch initially in "Security mode off" I chose "Security with Password and Fingerprint" and went through an iPhone Touch ID-like process to add a fingerprint.
  4. You can add as many as four fingerprints, delete them, change the password, and turn off Fingerprint Unlock, as desired.
  5. I copied some files to the now-encrypted exFAT volume, dismounted it and disconnected the T7 Touch.
  6. I then connected the T7 Touch to a macOS Sierra system that had no Samsung software or any clue about the T7 Touch.
  7. The volume mounted but showed only the Samsung installer software, not the files I had added myself.
  8. Putting my finger on the fingerprint sensor made the previously hidden files visible.
  9. In Disk Utility, I try to erase the drive to convert from MBR to GPT format. "Erase process has failed."
  10. Can we erase just the volume? There is no Mac OS "encrypted" option (perhaps due to the MBR format?). Plain Mac OS Extended (Journaled) does work, however. The volume is empty.
  11. Copy some files onto this Mac volume, then eject from the Finder, disconnect from USB and reconnect again.
  12. Volume mounts on the desktop but shows only the Samsung files originally on the drive (which I thought had been erased). Indicator light is off.
  13. Touch fingerprint sensor with appropriate finger: Samsung files disappear and the files I had copied onto the volume appear (without any invisible buddies).
  14. Try erasing the drive again – still doesn't work; you can only erase the volume.
  15. Will macOS boot off an MBR-formatted drive?
  16. I need the Samsung software to change the password and turn off fingerprint security. Back to the Mojave system.
 


Ric Ford

MacInTouch
...
17. I need the Samsung software to change the password and turn off fingerprint security. Back to the Mojave system.
Now things start to get weirder...
  1. Try to erase T7 Touch drive with macOS Mojave Disk Utility. It fails... but worse, now the T7 Touch volume is unmountable: "Initialize Ignore Eject"
  2. From the Samsung app, disable Security Mode for the T7 Touch. Fingerprints and password are deleted.
  3. Now I can reformat the drive with Disk Utility in GUID (GPT) format (HFS+ unencrypted)
  4. Set up password and fingerprint again.
  5. Add two partitions for a total of three:
    • APFS unencrypted
    • HFS+ unencrypted
    • HFS+ encrypted (FileVault)
  6. Clone a Mojave boot system to the unencrypted APFS volume on the T7 Touch.
  7. Fingerprint/password security is enabled for the T7 Touch.
  8. Option-reboot, select T7 Touch APFS boot volume.
  9. It boots without providing a fingerprint or password. All the data on the unencrypted HFS+ and APFS volumes is available without security!
  10. Double-check: yes, the Samsung app says that security is enabled. Well, it's not working here.
  11. Reboot as another double-check: same thing.
  12. Eject and remove T7 Touch and move it to the macOS Sierra system.
  13. T7 Touch shows a 41.9MB partition containing the default Samsung files. All the other volumes are invisible.
  14. Touch the fingerprint sensor with the finger: the hidden volumes all mount.
Huh?!

Why is fingerprint security working on the macOS Sierra system but not on the macOS Mojave system, not protecting anything there?

Is this because the Mojave system has the Samsung driver and app installed?

But... wow... with that software, there's no security. Without it, there is?

Hmmm. Dismount the volumes, still on the macOS Sierra system. Go to Disk Utility and try to remount them. No problem - they pop right up, no fingerprint or password needed.

#security
 


Ric Ford

MacInTouch
... Huh?!

Why is fingerprint security working on the macOS Sierra system but not on the macOS Mojave system, not protecting anything there?

Is this because the Mojave system has the Samsung driver and app installed?

But... wow... with that software, there's no security. Without it, there is?

Hmmm. Dismount the volumes, still on the macOS Sierra system. Go to Disk Utility and try to remount them. No problem - they pop right up, no fingerprint or password needed.

So the reformat killed security on the T7 Touch, and all it needs now to mount volumes it contains is a driver, no password, no fingerprint. Is there any going back?
OK, here's what seems to be happening:

If you unlock the T7 Touch with a fingerprint, it stays unlocked, even across volume dismounts and reboots... until you power off the drive. Only then is the password needed again.

(This is very different from how FileVault behaves, which is what confused me.)

#security
 


Ric Ford

MacInTouch
I would appreciate any thoughts or opinions on the viability of using the new Samsung T7 Touch as a MacBook Pro bootable startup disk to run a complete set of macOS, applications, and user account. The goal would be to have a self-contained secure work environment independent of the MacBook hardware. Thanks in advance...
This seems to be quite viable – see my notes above. I was able to boot macOS Mojave from the T7 Touch, complete with fingerprint encryption, and access other volumes on the drive.

As I described, the drive remains unlocked until it's powered down, even across restarts. You can unlock it at boot time (e.g. during Option boot). You can also turn off the drive's own encryption and/or use FileVault encryption with it. To reformat the whole drive, you have to turn off its security.
 


Ric Ford

MacInTouch
The T7 Touch is working with Linux Ubuntu after using the fingerprint unlock feature.

Much to my surprise, an unencrypted HFS+ volume even mounted, while exFAT support (for the factory default T7 Touch format) requires some extra work in Ubuntu.
 


If you unlock the T7 Touch with a fingerprint, it stays unlocked, even across volume dismounts and reboots... until you power off the drive. Only then is the password needed again.
Makes sense. As a hardware feature, the drive knows nothing about reboots, mounting and similar things. It only knows about attempts to read and write logical disk blocks.
 



Unlike Apple's T2 security system, I guess?
The T2 is not just a drive-encryption chip. If it was, life would be a lot simpler.

The T2 also incorporates a "root of trust" for securing firmware, boot-loaders and operating systems (similar to what a TPM chip is capable of on a PC). It also incorporates (I believe) all of the functionality of the SMC chip.

So I'm not surprised that it has intimate knowledge of the software state of a running system.
 


Thank you very much for that link. Here's one problem noted in the manual that looks like a PITA for me personally, as I use the SATSMART driver extensively to keep tabs on SMART reliability data for external drives (e.g. USB backup drives):
Samsung said:
“Samsung Portable SSD” driver and some of 3rd party drivers, including SATSMART driver are mutually exclusive
Fortunately, the Samsung driver is only needed for certain functions. You only need the software for managing the Security mode (including managing passwords and fingerprints), applying firmware updates, and entering the password to unlock the drive. So, if you have fingerprint enabled (or "Security mode off"), on a day-to-day basis, you don't need to have the software installed.

In fact, you could even create a VM (macOS or Windows) specifically for the Samsung software. You just unplug the T7 drive, boot the VM, and then when reconnecting the drive, connect it to the guest VM instead of the host. You'll then be able to use the Samsung software on the VM to adjust the security settings or update the firmware. That way you don't have to deal with installing/uninstalling the software or having to have a separate computer to connect it to for management.

Note that if you're running the drive in "Security with Password" mode (no fingerprint), that you necessarily can only connect it to USB hosts that have the Samsung software installed, because you need the software to enter the password. That is, macOS, Windows, and Android hosts only.

Also, do not lose your password. In Password-only mode, that will obviously completely lock you out of your drive. With fingerprint added, you will still be to unlock the drive and access your data, but the password is still required to make any changes to the Security settings.

One last important note from the manual. Applying firmware updates requires that you disable Security mode first.
Can we erase just the volume? There is no Mac OS "encrypted" option (perhaps due to the MBR format?).
Yes, the filesystems supported on MBR are limited. You need GPT for encrypted options or for any APFS filesystem.
Will macOS boot off an MBR-formatted drive?
No. Intel Macs can only boot macOS from GPT drives.
Much to my surprise, an unencrypted HFS+ volume even mounted, while exFAT support requires some extra work in Ubuntu.
Yeah, up until last year exFAT was Microsoft-proprietary and required a license. Now that Microsoft has published the specification and released the patents, it will be included with newer Linux distributions, and should gain universal device support.
 



Why is the T7 Touch useful for an individual user? It seems to me that using the macOS encryption would be equally secure and lot easier to use during the boot process.
Given the ease with which some of these self-encrypting/fingerprint systems have been fooled, I'd avoid them like the plague.
PortSwigger said:
On the other hand, the evidence suggests that FileVault 2 is secure.
The Guardian said:
Hence, I'd steer clear of allegedly-secure, allegedly fool-proof promises and stick to systems that have been probed for weaknesses and given a clean bill of health. Not because I have any aspiration of storing objectionable content on my hard drives but simply as a matter of good computer hygiene.
 


Given the ease with which some of these self-encrypting/fingerprint systems have been fooled, I'd avoid them like the plague.
Ease is in the eye of the beholder. Depending on which report is more accurate, that exploit requires "physical access to the drive, deep technical SSD knowledge and advanced engineering equipment."

But even if it doesn't, a device like the Samsung T7 Touch (assuming it isn't easy to just forge a compatible fingerprint) will still work great to stop opportunists, like a petty thief who grabs the drive off of a table – certainly better than a completely insecure $10 USB stick, even if it won't hold up against an attack by someone with the time and skills to crack it.

Like all security solutions, it is effective against some kinds of attacks and not against other kinds.

And, as with any other kind of drive, you can always use any of several different kinds of software encryption in conjunction with the hardware. For example, FileVault, encrypted disk images, encrypted zip files, or just encrypting individual files.

#security
 


Given the ease with which some of these self-encrypting/fingerprint systems have been fooled, I'd avoid them like the plague.
These vulnerabilities cited from over a year ago have been addressed by updates provided by the affected vendors.
CERT/CC said:
On the other hand, the evidence suggests that FileVault 2 is secure.

Hence, I'd steer clear of allegedly-secure, allegedly fool-proof promises and stick to systems that have been probed for weaknesses and given a clean bill of health.
FileVault 2 has had its share of vulnerabilities in the past too. [1] [2] [3]
Apple has also issued updates to address them.

The point is no security system is perfect, and it's important to keep up on security updates from your vendors.

#security #SSD #FileVault
 


Ric Ford

MacInTouch
FYI: Amazon now has the Samsung T7 Touch SSD available, and I just ordered one, but it's in very limited supply. Grab it fast if you want one soon.
Amazon now has the Samsung T7 Touch SSD in stock in both black and silver, 500GB or 1TB capacity. Prices when checked:
  • $129.99 for 500 GB
  • $229.99 for 1TB
  • 2TB: n/a
(See above for details and performance tests of this fast, compact, 10Gbps USB SSD with built-in fingerprint authentication.)
 





Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts