Solid State Drive Hardware Encryption About Microsoft Issues Security Consulting
Microsoft released its security consultant ADV180028 on Tuesday for computer users with self-encrypting solid-state drives (SSDs), protected by Microsoft's BitLocker encryption system.
In such cases, BitLocker will begin to use the hardware encryption of the SSD instead of using BitLocker's own software encryption approach. However, researchers at the Netherlands Radboud University have found a way to bypass the secrets used to keep hardware encrypted data secure on SSD drives.
The hardware encryption bypass technique requires code execution on the SSD control unit. "Can be done with JTAG" [Joint Test Action Group], memory corruption, storage chip content manipulation and error injection, "although researchers did not explain how they break the encryption in particular, he wrote.
The researchers explained how they passed the safety of self-encrypting disks (SEDs) in a consultation document (PDF download):
By reverse engineering we have analyzed the full disk encryption application of various SEDs from different vendors. Combined, these sellers cover nearly half of SSDs sold today. We found that critical vulnerabilities were found in the drivers examined. In many cases, it is possible to recover the contents of the drive without any password or secret key information, so that encryption is completely bypassed.
In other words, SSD hardware encryption is not secure. In addition, BitLocker users are subject to this problem because BitLocker has decided to use the hardware encryption scheme of the SSD.
The researchers tested and confirmed that the following SSDs were affected:
- Very important (Micron) MX100, MX200, MX300 internal hard drives
- Samsung T3 and T5 portable (external) discs
- Samsung 840 EVO and 850 EVO internal hard drives (when using ATA security in high mode)
They underestimated the future of a firmware fix for these drivers:
Conceptually, it is possible to solve the problems with firmware updates. Unfortunately, at the time of writing, they didn't have all the drivers or software updates, or they didn't respond enough to problems.
Researchers suggested using the software encryption and taking a few more steps in the SSD, which can be done on Windows systems using Group Policy settings. As a software encryption scheme, researchers suggested using an "open source and audited" full-disc software encryption scheme, such as VeraCrypt.
For BitLocker users, it is possible to switch to Microsoft's built-in software encryption scheme called "BitLocker Drive Encryption". Microsoft recommends that you use BitLocker Drive Encryption, which can be made with Group Policy changes. The idea is to override the default setting of BitLocker, which forces the use of hardware-based encryption.
When the SSD uses hardware encryption, there is a process to switch to using BitLocker Drive Encryption. Here is the Microsoft & # 39; s warning note:
note: After a driver is encrypted using hardware encryption, switching to software encryption on this drive requires that the drive is unencrypted and then re-encrypted using software encryption. If you are using BitLocker Drive Encryption, changing the Group Policy value to enforce software encryption alone is not enough to re-encrypt existing data.
Microsoft experts have indicated that IT professionals will have to turn off BitLocker (decrypting the drive) in Group Policy to force software encryption, then re-enable BitLocker in these SSDs. In this case, it clearly stated that there is no need to reformat the drive.
Unfortunately, Microsoft and researchers do not seem to agree on the need to reformat the driver. Researchers describe:
On affected models, the default setting must be changed so that only software encryption must be used. This change does not resolve the issue immediately because it does not re-encrypt existing data. A completely new installation, including reformatting the internal drive, enforces software encryption. As an alternative to re-installation, the above-mentioned VeraCrypt software package is available.
When asked about the inconsistency in reformatting the drive, a Microsoft spokesperson said there was nothing to share beyond Microsoft's recommendation.
Researchers published a draft report describing their findings (download PDF). SSD did not promise to release the means of exploitation for their defects, and reported to SSD producers in April that they had applied a "responsible statement."
Samsung issued a consumer notice on the issue. For portable SSDs. Samsung recommends updating the device firmware with a patch. For non-portable SSDs, Samsung recommends the installation of encryption software.
In a computer environment, it is possible to check whether hardware or software encryption is used in SSDs. In the Microsoft consultant's description, IT professionals can run "check-bde.exe -status" from an elevated command prompt.