Your Encrypted Hard Drive Might Be Wide Open!
The exploits continue. This one concerns the hardware encrypted Solid State drives that are rapidly being deployed in newer computers, laptops, in particular.
Many companies now use full disk encryption for their computers, especially for laptops on the move and Microsoft’s BitLocker has become the tool of choice for encrypting disk drives. Bitlocker will provide Software encryption unless it finds that the hard drive is capable of hardware encryption. Since hardware solutions are usually more secure than those from software, Bitlocker will normally default to using hardware encryption if the drive provides it, and herein lies the rub. Security researchers have found vulnerabilities in popular SSD drives. These make it possible to bypass the data encryption and read the encrypted data without the encryption key! The full article in .PDF format is here.
This, folks, is BAD NEWS! The paper shows that some SSD drives (including Samsung and Crucial) do not actually encrypt the data properly, and that they can be easily by-passed without a system password.
The affected disks include:
- Crucial (Micron) MX100, MX200 and MX300 internal hard disks.
- Samsung T3 and T5 USB external disks.
- Samsung 840 EVO and 850 EVO internal hard disks.
The research team did not run tests across all the available SSD disks, but found that the following disks could be compromised with a range of attacks:
They investigated the MASTER PASSWORD CAPABILITY bit in the firmware which can be set so that a factory-set Master password can unlock the drive. This master password protects the main encryption key used for the disk. For the Samsung MX300 SSD they found there was no need to set this bit as it could be reset by decrypting the RDS key. This key is a decryption result of a Salt and Cyphertext encrypted with a unique Device Key, plus a supplied password that provides access to ALL protected ranges on the drive. Researchers discovered that the master password for the MX300 drive is “” (an empty or Null string)!! Indeed, the password which releases the encryption key for the whole disk is an empty string (32 NULL characters — 32 0x00 byte values).
A big can of worms, this is!!
Shortly after the article was released, Microsoft issued a Security Advisory which shows not only how to determine if you’re at risk, but also a way to force Bitlocker to use software encryption even when hardware encryption is present and available. To check the type of drive encryption being used (hardware or software):
- Run manage-bde.exe -status from elevated command prompt or PowerShell window.
- If none of the drives listed report "Hardware Encryption" for the Encryption Method field, then this device is using software encryption and is not affected by vulnerabilities associated with self-encrypting drive encryption.
I ran this command on my Surface Pro 2017 and it reports the following:
PS C:\windows\system32> manage-bde.exe -status
BitLocker Drive Encryption: Configuration Tool version 10.0.17134
Copyright (C) 2013 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Local Disk]
Size: 475.60 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection On
Lock Status: Unlocked
Identification Field: Unknown
The report shows I’m already using software encryption, so I’m safe on this one. “But what if it said Hardware Encryption, what then?” you ask. Good News! For drives that are encrypted using a vulnerable form of hardware encryption, you can mitigate the vulnerability by switching to software encryption using Bitlocker with a Group Policy. To do this:
- Configure and deploy a Group Policy to enable forced software encryption.
- Fully turn off BitLocker to decrypt the drive.
- Enable BitLocker again. You do NOT need to reformat the drive or reinstall any applications after changing BitLocker settings.
Cool! Sounds easy enough…wait a minute, any chance you can tell me just WHICH GPO needs to be changed and how to change it? I’m glad you asked! I had that same question myself, and it took a bit of hunting to find it. Microsoft references their BitLocker Group Policy Settings document at the end of the Advisory. A quick look will show you that are DOZENS of settings available. The one I believe we want is Configure use of hardware-based encryption for fixed data drives. According to the description, when this GPO is set to Disabled, “BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.” On a Windows 10 Pro system, this policy can be set using the local Group Policy Editor, GPEdit.MSC. The path to the setting is Computer Configuration > Administrative Templates > Windows Components > Bitlocker Drive Encryption > Fixed Data Drives.
Whew!! That does it for this week, be sure to tune back in again next week for more Adventures in I.T. land!