Submitted via IRC for Bytram
BitLocker on self-encrypted SSDs blown; Microsoft advises you switch to software protection
Yesterday, Microsoft released ADV180028, Guidance for configuring BitLocker to enforce software encryption, in response to a clever crack published on Monday by Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands (PDF).
[...] The security researchers explain that they were able to modify the firmware of the drives in a required way, because they could use a debugging interface to bypass the password validation routine in SSD drives. It does require physical access to a (internal or external) SSD. But the researchers were able to decrypt hardware-encrypted data without a password. The researchers write that they will not release any details in the form of a proof of concept (PoC) for exploit.
Microsoft's BitLocker feature encrypts all the data on a drive. When you run BitLocker on a Win10 system with a solid state drive that has built-in hardware encryption, BitLocker relies on the self-encrypting drive's own capabilities. If the drive doesn't have hardware self-encryption (or you're using Win7 or 8.1), BitLocker implements software encryption, which is less efficient, but still enforces password protection.
[...] The hardware-based self-encryption flaw seems to be present on most, if not all, self-encrypting drives.
(Score: 1, Disagree) by shrewdsheep on Thursday November 08 2018, @09:07AM (3 children)
Be it RAID, encryption, rootkits (aka management engines, virtualization) and more, always use software, not hardware. Software can be verified, data formats can be reverse engineered or are documented. Not so much with hardware solutions.
(Score: 5, Informative) by canopic jug on Thursday November 08 2018, @09:43AM (2 children)
The actual press release from Radboud University, the Netherlands [www.ru.nl] and the preliminary report [www.ru.nl] (warning for PDF) both, though mostly the latter, point the public to Free and Open Source Software:
Further down there is a call for the manufacturers to publish their code for review.
Closed source, proprietary software kills. Maybe in this case it affects only your wallet, but the potential for worse is there.
Money is not free speech. Elections should not be auctions.
(Score: -1, Spam) by Anonymous Coward on Thursday November 08 2018, @10:14AM (1 child)
It was a quite a heartwarming scene to see an adult affectionately hugging a child. It was the sort of thing that would instantly brighten one's day. This applied even more so to the man, Erwin, who was doing the hugging. However, something was off.
Yes, this situation appeared ordinary, but something was indeed off. Could it be the lighting? What about the atmosphere? No. It was the hug itself.
Several things differentiated this from an ordinary hug; one, it lasted a strangely long amount of time; two, it involved the man's genitals and the little boy's anus; and three, it was a type of hug that would steal every last ounce of life from its recipient. And it did indeed steal everything from the child, whose naked body promptly collapsed to the ground once the "hug" was over. That boy would never breath or speak again. No longer interested in the silent child with a twisted neck, the affectionate man got up and looked in a certain direction.
Erwin looked, chose, and then sprinted towards his choice. The child looked on in terror as the hideous, obese man approached her with frightening speed. However, given the rope tightly wrapped her legs and arms, she could do nothing but wait until the man arrived to shower her with affection...
(Score: -1, Troll) by Anonymous Coward on Thursday November 08 2018, @05:23PM
Homosexuality is a sin.
(Score: 5, Insightful) by MostCynical on Thursday November 08 2018, @10:06AM (7 children)
which bit of "Microsoft", "proprietary" and "hardware encryption" wasn't enough to cause people to look elsewhere for data protection?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 5, Insightful) by Unixnut on Thursday November 08 2018, @10:17AM (6 children)
All it took for me was "Microsoft" to run for the hills.
To be fair though, this doesn't seem to actually be a Microsoft cockup. More that they assumed the underlying system was secure, which was a mistake (especially if they didn't give the option to the end user to state "No, screw hardware encryption, I want you to force software encryption"). Out of your choices, we can say the problem is the "proprietary" bit.
If it was open hardware, with open firmware, then anyone could have done an audit of the code, and perhaps this flaw would have been spotted sooner. It would also make backdoors much harder to hide.
Funny how "proprietary" has become to mean "worse". Once upon a time "proprietary" meant better than the known state of the art, as if you had some secret sauce others didn't know about that gave you an edge on the competition. Companies and Marketing drones would proudly drum home that their solution is "proprietary" to potential buyers.
(that was one of the reasons that when Linux first came out, it was laughed at. A non-proprietary OS written by a bunch of hobbyists could never actually be useful as more than a toy. My how things have changed).
Of course, before the "proprietary" era, there was the "openness" era, from which RMS et al hail from, so it seems tech goes in cycles between openness and proprietary systems. I wonder how much longer the current "openness" era will continue. Things like Android have already been moving towards more binary blobs and proprietary bits and pieces, and Googles next OS may not be OSS at all.
(Score: 0) by Anonymous Coward on Thursday November 08 2018, @10:26AM (2 children)
We're not and have never been in an "openness era." The world is plagued by proprietary and malicious software. Android was never about user freedom, even if some of its components qualified as Free Software.
(Score: 4, Informative) by Unixnut on Thursday November 08 2018, @10:43AM (1 child)
The fact Linux exists and is popular is proof that we are in an "openness era". That doesn't mean everything is open, just more open than before.
I remember a time when you just accepted that the OS is a black box with no insight over what is going on inside (unless you paid a hell of a lot of money). I remember a time when your OS didn't even have dev tools at all, and you had to pay big money for a simple compiler to be able to code.
The days of running a free OS, without needing very specific (usually a couple generations old) hardware, with a huge selection of programming languages, tools, and libraries, all for free, is quite something. If it wasn't for the OSS environment I never would have got into computers, because I just could not afford the devtools in order to learn.
If you wanted any kind of interesting data, you had to pay for it. Government was not even online at the time, so if you wanted data from them, it involved a lot of physical work going there, applying for it, waiting for approval (with justifications for why you want the data), usually pay a "Processing fee", and if you were lucky, you would get digital data (usually you got a poorly photocopied stack of papers, themselves photocopied from somewhere else, and barely legible).
Now you have public APIs all over the place, from financial information, to government statistics, to weather reports. Everyone is providing data out there, usually for free, in a form easily parsable and managable my machines.
I mean, even industrial automation (you know, robots, CNC machines), historically the bastion of proprietary secrets, software and logic, have started deploying open source operating systems, and providing documented APIs for free as part of the purchase (before, you had to buy the robot, then the PLC to control it, then license the software, and if you wanted the API, or to extend the software, you had to pay again).
Now we got open source CAD software, open hardware (including 3D printers and CNC machines) and sites dedicated to sharing plans, designs and systems for free, and a whole movement of tinkerers and fabricators making stuff themselves.
Is the world 100% free and open? No (and it never will be), but it is a hell of a lot better than what it was, and now as we seem to have started sliding in the other direction again, we can consider it an "era" as such.
(Score: 0) by Anonymous Coward on Thursday November 08 2018, @05:22PM
It's not even close. It's mostly proprietary.
(Score: 2) by canopic jug on Thursday November 08 2018, @10:41AM (1 child)
All it took for me was "Microsoft" to run for the hills.
To be fair though, this doesn't seem to actually be a Microsoft cockup. More that they assumed the underlying system was secure, which was a mistake (especially if they didn't give the option to the end user to state "No, screw hardware encryption, I want you to force software encryption"). Out of your choices, we can say the problem is the "proprietary" bit.
No, but apparently it is important to make the news 100% about that vendor and ignore the university researchers that found that this flaw affects multiple brands and designs of SSD, probably abstractable to most SSD and even HDD firmware encryption.
About the article itself, the choice and summary appears to show that some individuals are insisting on having a contest [arstechnica.com] rather than picking good sources. There are many other articles and blog posts that provide the pertinent facts without drawing focus away from the researhers and their institution. Many of those are even in English, though many are in "Foreign". Here are two in English:
Again, what I find interesting is that these flaws probably extend to HDDs as well.
Money is not free speech. Elections should not be auctions.
(Score: 4, Insightful) by pTamok on Thursday November 08 2018, @02:46PM
...this flaw affects multiple brands and designs of SSD, probably abstractable to most SSD and even HDD firmware encryption.
Again, what I find interesting is that these flaws probably extend to HDDs as well.
Yup.
The Register:Your hard drives were riddled with NSA spyware for years [theregister.co.uk]
The Hacker News:NSA Planted Stuxnet-Type Malware Deep Within Hard Drive Firmware [thehackernews.com]
Wired: How the NSA's Firmware Hacking Works and Why It's So Unsettling [wired.com]
Geek.com: NSA malware found hiding in hard drives for almost 20 years [geek.com]
Computerworld: There's no way of knowing if the NSA's spyware is on your hard drive [computerworld.com]
That's just hard drives, but pretty much anything that has firmware can be compromised: Graphics cards, Ethernet Interfaces, Broadband/GSM/LTE modems; not to mention USB devices [wired.com].
For pretty much all practical purposes, it is well-nigh impossible for the average end user to obtain computing hardware that is not already compromised, or compromiseable. If you are the military of a country that has fabs, it is probably possible, otherwise...
I'm surprised there has not yet been a sustained push for free (libre) and open hardware and software to help mitigate the problem, but I suspect things have to get worse before they get better. Expect more stories like this.
(Score: 2) by Bot on Thursday November 08 2018, @01:11PM
> More that they assumed the underlying system was secure
I bet one encrypted porn video that they have been forced to assume that after a nice letter by a 3 letter agency. Yes I am justifying MS, because they are evil, not dumb.
Account abandoned.
(Score: 0) by Anonymous Coward on Thursday November 08 2018, @12:20PM
i think the "real" encryption is not off the shelf. costs beaucoup monies and can only be (hardware)
accessed with a paper trail. thus it lives in the corporate environment only.(*)
everything else is more or less accesible thus open and ... well... open.
encryption for the masses is like a car upgrade kit that promises to turn your 20k car into a million dollar ferrari by spraying it red...
(*) no way to know if its (technically) secure but its so expensive that basement dwellers can literally not touch it and companies selling it live under the constant threat that if the promise should not hold thru, their whole genetic lineage will disappear from history ...
(Score: 0) by Anonymous Coward on Thursday November 08 2018, @05:25PM (2 children)
When truecrypt fell, they specifically mentioned bitlocker as an alternative. So what are the alternatives now?
Speaking of which have there ever been any cases of truecrypt being defeated? It was hypothetically insecure at the time of the announcement.
(Score: 1, Informative) by Anonymous Coward on Thursday November 08 2018, @06:03PM
"they" are idiots. use linux and luks, ffs
(Score: 2) by tangomargarine on Thursday November 08 2018, @08:49PM
There are successors to the TrueCrypt codebase like VeraCrypt and CipherShed.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by ElizabethGreene on Thursday November 08 2018, @06:49PM
I have never successfully gotten the boot volume of a machine to use hardware encryption. There isn't (or wasn't when I looked earlier this year) a way to turn it on it a running OS built from a task sequence.
(Second hard drives, yes. Boot drives, no.)
Does anyone have this working? You can see it under the "Encryption Type" when you run manage-bde.exe -status
I'd also like to know if the vulnerability effects msed. It nominally has support for self-encrypting drives under Linux.
(Score: 2) by arslan on Friday November 09 2018, @02:40AM
Reminds me of this Seinfeld episode: