Stories
Slash Boxes
Comments

SoylentNews is people

posted by mrpg on Thursday November 08 2018, @08:46AM   Printer-friendly
from the advise-an-advice dept.

Submitted via IRC for Bytram

BitLocker on self-encrypted SSDs blown; Microsoft advises you switch to software protection

Yesterday, Microsoft released ADV180028, Guidance for configuring BitLocker to enforce software encryption, in response to a clever crack published on Monday by Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands (PDF).

[...] The security researchers explain that they were able to modify the firmware of the drives in a required way, because they could use a debugging interface to bypass the password validation routine in SSD drives. It does require physical access to a (internal or external) SSD. But the researchers were able to decrypt hardware-encrypted data without a password. The researchers write that they will not release any details in the form of a proof of concept (PoC) for exploit.

Microsoft's BitLocker feature encrypts all the data on a drive. When you run BitLocker on a Win10 system with a solid state drive that has built-in hardware encryption, BitLocker relies on the self-encrypting drive's own capabilities. If the drive doesn't have hardware self-encryption (or you're using Win7 or 8.1), BitLocker implements software encryption, which is less efficient, but still enforces password protection.

[...] The hardware-based self-encryption flaw seems to be present on most, if not all, self-encrypting drives.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday November 08 2018, @12:20PM

    by Anonymous Coward on Thursday November 08 2018, @12:20PM (#759347)

    i think the "real" encryption is not off the shelf. costs beaucoup monies and can only be (hardware)
      accessed with a paper trail. thus it lives in the corporate environment only.(*)

    everything else is more or less accesible thus open and ... well... open.
    encryption for the masses is like a car upgrade kit that promises to turn your 20k car into a million dollar ferrari by spraying it red...

    (*) no way to know if its (technically) secure but its so expensive that basement dwellers can literally not touch it and companies selling it live under the constant threat that if the promise should not hold thru, their whole genetic lineage will disappear from history ...