Slash Boxes

SoylentNews is people

Submission Preview

Link to Story

BitLocker on Self-encrypted SSDs Blown; Microsoft Advises You Switch to Software Protection

Accepted submission by upstart at 2018-11-08 01:12:48

████ sub likely contains entire articles and possibly more, and probably needs a trimmin' ████

Submitted via IRC for Bytram

BitLocker on self-encrypted SSDs blown; Microsoft advises you switch to software protection []

Yesterday, Microsoft released ADV180028, Guidance for configuring BitLocker to enforce software encryption [], in response to a clever crack published on Monday by Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands (PDF []).

The paper (marked “draft”) explains how an attacker can decrypt a hardware-encrypted SSD without knowing the password. Due to a flaw in the way self-encrypting drives are implemented in firmware, a miscreant can get at all of the data on the drive, no key required. Günter Born reports on his Borncity blog []:

The security researchers explain that they were able to modify the firmware of the drives in a required way, because they could use a debugging interface to bypass the password validation routine in SSD drives. It does require physical access to a (internal or external) SSD. But the researchers were able to decrypt hardware-encrypted data without a password. The researchers write that they will not release any details in the form of a proof of concept (PoC) for exploit.

Microsoft’s BitLocker feature encrypts all the data on a drive. When you run BitLocker on a Win10 system with a solid state drive that has built-in hardware encryption, BitLocker relies on the self-encrypting drive’s own capabilities. If the drive doesn’t have hardware self-encryption (or you're using Win7 or 8.1), BitLocker implements software encryption, which is less efficient, but still enforces password protection.

The hardware-based self-encryption flaw seems to be present on most, if not all, self-encrypting drives.

Microsoft’s solution is to unencrypt any SSD that implements self-encryption, then re-encrypt it with software-based encryption. Performance takes a hit, but data will be protected by software, not hardware.

For details on the re-encryption technique, see ADV180028. []

Original Submission