Stories
Slash Boxes
Comments

SoylentNews is people

BitLocker on Self-Encrypted SSDs Blown; Microsoft Advises You Switch to Software Protection

posted by mrpg on Thursday November 08 2018, @08:46AM   Printer-friendly
from the advise-an-advice dept.

upstart writes:

Submitted via IRC for Bytram

BitLocker on self-encrypted SSDs blown; Microsoft advises you switch to software protection

Yesterday, Microsoft released ADV180028, Guidance for configuring BitLocker to enforce software encryption, in response to a clever crack published on Monday by Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands (PDF).

[...] The security researchers explain that they were able to modify the firmware of the drives in a required way, because they could use a debugging interface to bypass the password validation routine in SSD drives. It does require physical access to a (internal or external) SSD. But the researchers were able to decrypt hardware-encrypted data without a password. The researchers write that they will not release any details in the form of a proof of concept (PoC) for exploit.

Microsoft's BitLocker feature encrypts all the data on a drive. When you run BitLocker on a Win10 system with a solid state drive that has built-in hardware encryption, BitLocker relies on the self-encrypting drive's own capabilities. If the drive doesn't have hardware self-encryption (or you're using Win7 or 8.1), BitLocker implements software encryption, which is less efficient, but still enforces password protection.

[...] The hardware-based self-encryption flaw seems to be present on most, if not all, self-encrypting drives.

Original Submission

 
This discussion has been archived. No new comments can be posted.
BitLocker on Self-Encrypted SSDs Blown; Microsoft Advises You Switch to Software Protection | Log In/Create an Account | Top | 18 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Disagree) by shrewdsheep on Thursday November 08 2018, @09:07AM (3 children)

    by shrewdsheep (5215) on Thursday November 08 2018, @09:07AM (#759315)

    Be it RAID, encryption, rootkits (aka management engines, virtualization) and more, always use software, not hardware. Software can be verified, data formats can be reverse engineered or are documented. Not so much with hardware solutions.

    Starting Score:    1  point
    Moderation   0  
       Disagree=1, Total=1
    Extra 'Disagree' Modifier   0  
    Total Score:   1  

  • (Score: 5, Informative) by canopic jug on Thursday November 08 2018, @09:43AM (2 children)

    by canopic jug (3949) Subscriber Badge on Thursday November 08 2018, @09:43AM (#759317) Journal

    The actual press release from Radboud University, the Netherlands [www.ru.nl] and the preliminary report [www.ru.nl] (warning for PDF) both, though mostly the latter, point the public to Free and Open Source Software:

    The results presented in this paper show that one should not rely solely on hardware encryption as offered by SSDs for confidentiality. We recommend users that depend on hardware encryption implemented in SSDs to employ also a software full-disk encryption solution, preferably an open-source and audited one.

    Further down there is a call for the manufacturers to publish their code for review.

    Hardware encryption currently comes with the drawback of having to rely on proprietary, non-public, hard-to-audit crypto schemes designed by their manufacturers. Correctly implementing disk encryption is hard and the consequences of making mistakes are often catastrophic. For this reason, im- plementations should be audited and subject to as much public scrutiny as possible. Manufacturers that take security seriously should publish their crypto schemes and corresponding code so that security claims can be independently verified.

    [...] Finally, TCG should publish a reference implementation of Opal to aid developers. This reference implementation should also be made available for public scrutiny.

    Closed source, proprietary software kills. Maybe in this case it affects only your wallet, but the potential for worse is there.

    --
    Money is not free speech. Elections should not be auctions.

    • (Score: -1, Spam) by Anonymous Coward on Thursday November 08 2018, @10:14AM (1 child)

      by Anonymous Coward on Thursday November 08 2018, @10:14AM (#759321)

      It was a quite a heartwarming scene to see an adult affectionately hugging a child. It was the sort of thing that would instantly brighten one's day. This applied even more so to the man, Erwin, who was doing the hugging. However, something was off.

      Yes, this situation appeared ordinary, but something was indeed off. Could it be the lighting? What about the atmosphere? No. It was the hug itself.

      Several things differentiated this from an ordinary hug; one, it lasted a strangely long amount of time; two, it involved the man's genitals and the little boy's anus; and three, it was a type of hug that would steal every last ounce of life from its recipient. And it did indeed steal everything from the child, whose naked body promptly collapsed to the ground once the "hug" was over. That boy would never breath or speak again. No longer interested in the silent child with a twisted neck, the affectionate man got up and looked in a certain direction.

      Erwin looked, chose, and then sprinted towards his choice. The child looked on in terror as the hideous, obese man approached her with frightening speed. However, given the rope tightly wrapped her legs and arms, she could do nothing but wait until the man arrived to shower her with affection...

      • (Score: -1, Troll) by Anonymous Coward on Thursday November 08 2018, @05:23PM

        by Anonymous Coward on Thursday November 08 2018, @05:23PM (#759429)

        it involved the man's genitals and the little boy's anus

        Homosexuality is a sin.