BitLocker on self-encrypted SSDs blown; Microsoft advises you switch to software protection

BitLocker on self-encrypted SSDs blown; Microsoft advises you switch to software protection

Yesterday, Microsoft released ADV180028, Guidance for configuring BitLocker to enforce software encryption, in response to a clever crack published on

Tor Brings Onion Browser to Android Devices
Ransomware recovery goes beyond data loss for enterprises
1.4 billion stolen credentials found on dark web

Yesterday, Microsoft released ADV180028, Guidance for configuring BitLocker to enforce software encryption, in response to a clever crack published on Monday by Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands (PDF).

The paper (marked “draft”) explains how an attacker can decrypt a hardware-encrypted SSD without knowing the password. Due to a flaw in the way self-encrypting drives are implemented in firmware, a miscreant can get at all of the data on the drive, no key required. Günter Born reports on his Borncity blog:

The security researchers explain that they were able to modify the firmware of the drives in a required way, because they could use a debugging interface to bypass the password validation routine in SSD drives. It does require physical access to a (internal or external) SSD. But the researchers were able to decrypt hardware-encrypted data without a password. The researchers write that they will not release any details in the form of a proof of concept (PoC) for exploit.

Microsoft’s BitLocker feature encrypts all the data on a drive. When you run BitLocker on a Win10 system with a solid state drive that has built-in hardware encryption, BitLocker relies on the self-encrypting drive’s own capabilities. If the drive doesn’t have hardware self-encryption (or you’re using Win7 or 8.1), BitLocker implements software encryption, which is less efficient, but still enforces password protection.

The hardware-based self-encryption flaw seems to be present on most, if not all, self-encrypting drives.

Microsoft’s solution is to unencrypt any SSD that implements self-encryption, then re-encrypt it with software-based encryption. Performance takes a hit, but data will be protected by software, not hardware.

For details on the re-encryption technique, see ADV180028.

Go to Source

COMMENTS