Microsoft issues security advisories on solid state drive hardware encryption.
Microsoft issued security advisory ADV180028 Tuesday for computer users with SSDs (self-encrypting SSDs) that are superficially protected by Microsoft's BitLocker encryption scheme.
In this case, BitLocker uses hardware encryption of the SSD by default instead of using BitLocker's own software encryption scheme. Researchers at Radboud University in the Netherlands, however, have found a way to bypass confidential information used to keep hardware encrypted data secure on SSD drives.
Technologies that bypass hardware encryption must be able to execute code on the SSD's controller. It is "JTAG" [Joint Test Action Group], Memory corruption, storage chip manipulation and error insertion. "
The researchers described how to circumvent the security of self-encrypting drives (SEDs) (PDF download).
Reverse engineering of firmware has analyzed the implementation of full disk encryption for multiple SEDs from multiple vendors. Combined, these sellers cover about half of the sold SSDs. We have discovered a fatal security vulnerability in the studied drive. In many cases, you can recover the contents of the drive without knowledge of the password or secret key, which can completely bypass the encryption.
In other words, SSD hardware encryption is not secure. BitLocker users may also experience this problem because BitLocker uses the hardware encryption scheme of the SSD by default.
The researchers tested and verified that the following SSDs were affected:
- Crucial (Micron) MX100, MX200, MX300 internal hard disk
- Samsung T3 and T5 portable (external) disk
- Samsung 840 EVO and 850 EVO internal hard disk (when using high mode ATA security)
They ignored the prospect that firmware fixes would arrive on these drives.
Conceptually found issues can be addressed through firmware updates. Unfortunately, not all drives found to be vulnerable at the time of creation were available or performed without the firmware update, but the problem was addressed inappropriately.
The researcher further suggested how to use software encryption on SSDs that can be performed on Windows systems using the Group Policy settings and some additional steps. The researchers recommended using an "open source and audited" full disk software encryption scheme such as VeraCrypt as a software encryption scheme.
For BitLocker users, you can switch to Microsoft's internal-deployment software encryption scheme called "BitLocker Drive Encryption." We recommend that you use BitLocker Drive Encryption (this can be done through Group Policy changes). We recommend that you override BitLocker's default setting, which forces you to use hardware-based encryption.
If the SSD uses hardware encryption, there is a process to switch to use BitLocker Drive Encryption. The following is a note from Microsoft.
note: After the drive is encrypted using hardware encryption, you must first unencrypt the drive and re-encrypt it using software encryption before you can switch to software encryption for that drive. If you are using BitLocker Drive Encryption, changing the Group Policy value to only apply software encryption is not sufficient to re-encrypt existing data.
IT advised Microsoft to set Group Policy to apply software encryption, turn off BitLocker to decrypt the drive, and re-enable BitLocker on the SSD. In this case, we have explicitly stated that we do not need to reformat the drive.
Unfortunately, Microsoft and its researchers do not seem to agree with the need to reformat the drive. Here's how the researcher described it:
For affected models, you must change the default setting to use only software encryption. This change does not re-encrypt existing data, so it does not solve the problem immediately. Only a completely new installation will enforce software encryption, including reformatting internal drives. Instead of reinstalling, you can use the VeraCrypt software package mentioned above.
When Microsoft asked about inconsistencies in drive reformatting, Microsoft spokesman said that there was nothing more to share beyond consultation.
The researcher presented a draft explaining the results (PDF download). They promised not to reveal exploits for SSD defects and pointed out that SSD makers had "responsible disclosure" by notifying them in April.
Samsung has issued consumer cautions on this issue. For portable SSDs. Samsung recommends that you update your device's firmware with a patch. For non-portable SSDs, we recommend installing encryption software.
You can verify that hardware or software encryption is being used on the SSD in your computing environment. IT advisers said that Microsoft's recommendation could perform this check by running manage-bde.exe -status at the elevated command prompt.