Microsoft published the security advisory ADV180028, Guidance for configuring BitLocker to enforce software encryption, yesterday. The advisory is a response to the research paper Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs) by the Dutch security researchers Carlo Meijer and Bernard von Gastel from Radboud University (PDF here).
The researchers discovered a vulnerability in Solid State Drives that support hardware encryption that enabled them to retrieve data from the encrypted drive without knowledge of the password used to encrypt the data on it.
The vulnerability requires local access to the drive as it is necessary to manipulate the firmware of it to access the data.
The security researchers tested several retail solid state drives that support hardware encryption and found the vulnerability in each of them including Crucial MX100, MX200 and MX3000, Samsung T3 and T5, and Samsung 840 Evo and 850 Evo drives.
BitLocker supports software and hardware encryption but uses hardware encryption by default if supported by the drive. Means: any drive that supports hardware encryption is potentially affected by the issue on Windows.
Microsoft suggests that administrators switch the encryption mode from hardware to software to address the issue and resolve it at the same time.
Verify the encryption method
System administrators can check the used encryption method on Windows devices in the following way:
The solid state drives uses software encryption if you don't find hardware encryption referenced in the output.
How to switch to BitLocker software encryption
Administrators may switch the encryption method to software if BitLocker uses a drive's hardware encryption capabilities on a Windows machine.
BitLocker can't switch to software encryption automatically if a drive uses hardware encryption. The required process involves enabling software encryption as the default, decryption of the drive, and encrypting it using BitLocker.
Microsoft notes that it is not required to format the drive or install software again when switching the encryption method.
First thing that needs to be done is enforce the use of software encryption using the Group Policy.
The setting applies to new drives that you connect to the computer. BitLocker won't apply the new encryption method to drives that are already encrypted.
It is necessary to turn off BitLocker on affected drives fully to decrypt the data and turn it on again after the process so that BitLocker uses software encryption as defined in the Group Policy to encrypt the drive's data.
Here is how that is done
The issue affects Solid State Drives that support hardware encryption. The security researchers tested only some Solid State Drives that support the security feature; it seems likely that additional drives are vulnerable as well.
Attackers need local access to the drive to exploit the vulnerability. While that is very limiting, it is still suggested to switch to software encryption especially if critical data is stored on the drive or if the computer or drive may be sold or given away at a later point in time. (via Born)Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.