SoylentNews is people
SoylentNews
Submitted via IRC for Bytram
BitLocker on self-encrypted SSDs blown; Microsoft advises you switch to software protection
Yesterday, Microsoft released ADV180028, Guidance for configuring BitLocker to enforce software encryption, in response to a clever crack published on Monday by Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands (PDF).
[...] The security researchers explain that they were able to modify the firmware of the drives in a required way, because they could use a debugging interface to bypass the password validation routine in SSD drives. It does require physical access to a (internal or external) SSD. But the researchers were able to decrypt hardware-encrypted data without a password. The researchers write that they will not release any details in the form of a proof of concept (PoC) for exploit.
Microsoft's BitLocker feature encrypts all the data on a drive. When you run BitLocker on a Win10 system with a solid state drive that has built-in hardware encryption, BitLocker relies on the self-encrypting drive's own capabilities. If the drive doesn't have hardware self-encryption (or you're using Win7 or 8.1), BitLocker implements software encryption, which is less efficient, but still enforces password protection.
[...] The hardware-based self-encryption flaw seems to be present on most, if not all, self-encrypting drives.
(Score: 5, Insightful) by Unixnut on Thursday November 08 2018, @10:17AM (6 children)
All it took for me was "Microsoft" to run for the hills.
To be fair though, this doesn't seem to actually be a Microsoft cockup. More that they assumed the underlying system was secure, which was a mistake (especially if they didn't give the option to the end user to state "No, screw hardware encryption, I want you to force software encryption"). Out of your choices, we can say the problem is the "proprietary" bit.
If it was open hardware, with open firmware, then anyone could have done an audit of the code, and perhaps this flaw would have been spotted sooner. It would also make backdoors much harder to hide.
Funny how "proprietary" has become to mean "worse". Once upon a time "proprietary" meant better than the known state of the art, as if you had some secret sauce others didn't know about that gave you an edge on the competition. Companies and Marketing drones would proudly drum home that their solution is "proprietary" to potential buyers.
(that was one of the reasons that when Linux first came out, it was laughed at. A non-proprietary OS written by a bunch of hobbyists could never actually be useful as more than a toy. My how things have changed).
Of course, before the "proprietary" era, there was the "openness" era, from which RMS et al hail from, so it seems tech goes in cycles between openness and proprietary systems. I wonder how much longer the current "openness" era will continue. Things like Android have already been moving towards more binary blobs and proprietary bits and pieces, and Googles next OS may not be OSS at all.
(Score: 0) by Anonymous Coward on Thursday November 08 2018, @10:26AM (2 children)
We're not and have never been in an "openness era." The world is plagued by proprietary and malicious software. Android was never about user freedom, even if some of its components qualified as Free Software.
(Score: 4, Informative) by Unixnut on Thursday November 08 2018, @10:43AM (1 child)
The fact Linux exists and is popular is proof that we are in an "openness era". That doesn't mean everything is open, just more open than before.
I remember a time when you just accepted that the OS is a black box with no insight over what is going on inside (unless you paid a hell of a lot of money). I remember a time when your OS didn't even have dev tools at all, and you had to pay big money for a simple compiler to be able to code.
The days of running a free OS, without needing very specific (usually a couple generations old) hardware, with a huge selection of programming languages, tools, and libraries, all for free, is quite something. If it wasn't for the OSS environment I never would have got into computers, because I just could not afford the devtools in order to learn.
If you wanted any kind of interesting data, you had to pay for it. Government was not even online at the time, so if you wanted data from them, it involved a lot of physical work going there, applying for it, waiting for approval (with justifications for why you want the data), usually pay a "Processing fee", and if you were lucky, you would get digital data (usually you got a poorly photocopied stack of papers, themselves photocopied from somewhere else, and barely legible).
Now you have public APIs all over the place, from financial information, to government statistics, to weather reports. Everyone is providing data out there, usually for free, in a form easily parsable and managable my machines.
I mean, even industrial automation (you know, robots, CNC machines), historically the bastion of proprietary secrets, software and logic, have started deploying open source operating systems, and providing documented APIs for free as part of the purchase (before, you had to buy the robot, then the PLC to control it, then license the software, and if you wanted the API, or to extend the software, you had to pay again).
Now we got open source CAD software, open hardware (including 3D printers and CNC machines) and sites dedicated to sharing plans, designs and systems for free, and a whole movement of tinkerers and fabricators making stuff themselves.
Is the world 100% free and open? No (and it never will be), but it is a hell of a lot better than what it was, and now as we seem to have started sliding in the other direction again, we can consider it an "era" as such.
(Score: 0) by Anonymous Coward on Thursday November 08 2018, @05:22PM
It's not even close. It's mostly proprietary.
(Score: 2) by canopic jug on Thursday November 08 2018, @10:41AM (1 child)
All it took for me was "Microsoft" to run for the hills.
To be fair though, this doesn't seem to actually be a Microsoft cockup. More that they assumed the underlying system was secure, which was a mistake (especially if they didn't give the option to the end user to state "No, screw hardware encryption, I want you to force software encryption"). Out of your choices, we can say the problem is the "proprietary" bit.
No, but apparently it is important to make the news 100% about that vendor and ignore the university researchers that found that this flaw affects multiple brands and designs of SSD, probably abstractable to most SSD and even HDD firmware encryption.
About the article itself, the choice and summary appears to show that some individuals are insisting on having a contest [arstechnica.com] rather than picking good sources. There are many other articles and blog posts that provide the pertinent facts without drawing focus away from the researhers and their institution. Many of those are even in English, though many are in "Foreign". Here are two in English:
Again, what I find interesting is that these flaws probably extend to HDDs as well.
Money is not free speech. Elections should not be auctions.
(Score: 4, Insightful) by pTamok on Thursday November 08 2018, @02:46PM
...this flaw affects multiple brands and designs of SSD, probably abstractable to most SSD and even HDD firmware encryption.
Again, what I find interesting is that these flaws probably extend to HDDs as well.
Yup.
The Register:Your hard drives were riddled with NSA spyware for years [theregister.co.uk]
The Hacker News:NSA Planted Stuxnet-Type Malware Deep Within Hard Drive Firmware [thehackernews.com]
Wired: How the NSA's Firmware Hacking Works and Why It's So Unsettling [wired.com]
Geek.com: NSA malware found hiding in hard drives for almost 20 years [geek.com]
Computerworld: There's no way of knowing if the NSA's spyware is on your hard drive [computerworld.com]
That's just hard drives, but pretty much anything that has firmware can be compromised: Graphics cards, Ethernet Interfaces, Broadband/GSM/LTE modems; not to mention USB devices [wired.com].
For pretty much all practical purposes, it is well-nigh impossible for the average end user to obtain computing hardware that is not already compromised, or compromiseable. If you are the military of a country that has fabs, it is probably possible, otherwise...
I'm surprised there has not yet been a sustained push for free (libre) and open hardware and software to help mitigate the problem, but I suspect things have to get worse before they get better. Expect more stories like this.
(Score: 2) by Bot on Thursday November 08 2018, @01:11PM
> More that they assumed the underlying system was secure
I bet one encrypted porn video that they have been forced to assume that after a nice letter by a 3 letter agency. Yes I am justifying MS, because they are evil, not dumb.
Account abandoned.