Crucial and Samsung SSDs' Encryption Is Easily Bypassed

[Lucian Armasu]

Dutch researchers found that modern SSDs come with flawed encryption schemes and implementations that could allow attackers to easily decrypt user's data.

Crucial and Samsung SSDs' Encryption Is Easily Bypassed : Read more

 

[Brian28]

No wonder the FBI never raised a stink about hard drives like they did with the iPhone.

 

[cryoburner]

Logically, the encryption used in all drives probably has a backdoor, just some companies do a better job hiding it than others.

They said Microsoft shares some of the blame for Windows user data that can easily be stolen from their encrypted drives by people with access to the users’ laptops. That’s because Microsoft’s BitLocker, which is available only on Professional, Enterprise and Education editions of Windows 10, uses the drive’s own encryption by default instead of its own.

Well, that makes sense. Software encryption tends to create additional performance overhead, and CPU acceleration for it is only common in newer CPUs from the last 5 to 7 years or so, while companies will likely have a lot of older hardware in use, so if the drives themselves are already offering to handle it on their own, it's reasonable for Microsoft to let them do so. If some of the drives in question have poor locks on the doors, that's hardly Microsoft's fault. They're simply providing an interface to access it. And do you really think that if they used their own software encryption, that it wouldn't have a backdoor? Perhaps they would do a better job disguising the entrance to keep the common riffraff out, but I wouldn't expect much more than that. The same goes for this open-source software these researchers are recommending. You can bet that various groups around the world have spent billions compromising software like that.

 

[xrodney]

Well as I did find out accidentaly even Home version of W10 does have bitlocker or some other tool and might come as enabled.
Wanted update Bios and FW on Yoga 920 and it failed with status that disk is encrypted.

W10 Home are missing menu and option in control panel but still have command line tool: manage-bde -status
This showed disk as 100% encrypted and I had to decrypt it (took about 2 hours for 256GB SSD) before rerun FW update tool.

 

[stdragon]

Logically, the encryption used in all drives probably has a backdoor, just some companies do a better job hiding it than others.

They said Microsoft shares some of the blame for Windows user data that can easily be stolen from their encrypted drives by people with access to the users’ laptops. That’s because Microsoft’s BitLocker, which is available only on Professional, Enterprise and Education editions of Windows 10, uses the drive’s own encryption by default instead of its own.

Well, that makes sense. Software encryption tends to create additional performance overhead, and CPU acceleration for it is only common in newer CPUs from the last 5 to 7 years or so, while companies will likely have a lot of older hardware in use, so if the drives themselves are already offering to handle it on their own, it's reasonable for Microsoft to let them do so. If some of the drives in question have poor locks on the doors, that's hardly Microsoft's fault. They're simply providing an interface to access it. And do you really think that if they used their own software encryption, that it wouldn't have a backdoor? Perhaps they would do a better job disguising the entrance to keep the common riffraff out, but I wouldn't expect much more than that. The same goes for this open-source software these researchers are recommending. You can bet that various groups around the world have spent billions compromising software like that.

CPU acceleration is the AES-NI instruction set; and the first consumer based CPUs to have it first arrived in 2010 and became more common with each passing generation thereafter. Besides, back then SED drives weren't all that common, so falling back to AES-NI was more of the norm than not...assuming the software was even compiled to utilize it. If I recall, not many applications did at the time. In fact, I think Apple's OSX was the first consumer level OS to support AES-NI via the build-in disk encryption Filevault

That all said, if given the option with BitLocker to choose, I'd much rather go with the software implementation paired with the TPM chip on the MB based on this news. Performance isn't going to be that noticeable on a laptop unless you're working with some serious IOP intensive local databases or whatnot. And given laptops are prone to being lost or stolen, I'd much rather have the peace of mind that the data didn't fall into the wrong hands.

 

[stdragon]

Well as I did find out accidentaly even Home version of W10 does have bitlocker or some other tool and might come as enabled.
Wanted update Bios and FW on Yoga 920 and it failed with status that disk is encrypted.

W10 Home are missing menu and option in control panel but still have command line tool: manage-bde -status
This showed disk as 100% encrypted and I had to decrypt it (took about 2 hours for 256GB SSD) before rerun FW update tool.

Yoga 920's ship with Windows 10 Home. That, and the fact Bitlocker is only available in Windows 10 Pro or Enterprise.

If this laptop upgraded with Pro/Enterprise and Bitlocker enabled, then you can just suspend the encryption prior to performing a BIOS update. Which BTW is recommended so you don't force the system to reboot asking for a recovery key. If you don't have that printed or stored elsewhere in a secure location, you'll be SOL when it asks for one. Anyways, with Bitlocker, there's no need to fully decrypt the drive just to update the BIOS.

If you are running Windows 10 Home, then perhaps you have an FDE (Full Disk Encryption, aka SED / Self Encrypting Drive) with encryption enabled in BIOS. That, or you had some 3rd party application managing its own implementation in Windows.

 

[xrodney]

Well as I did find out accidentaly even Home version of W10 does have bitlocker or some other tool and might come as enabled.
Wanted update Bios and FW on Yoga 920 and it failed with status that disk is encrypted.

W10 Home are missing menu and option in control panel but still have command line tool: manage-bde -status
This showed disk as 100% encrypted and I had to decrypt it (took about 2 hours for 256GB SSD) before rerun FW update tool.

Yoga 920's ship with Windows 10 Home. That, and the fact Bitlocker is only available in Windows 10 Pro or Enterprise.

If this laptop upgraded with Pro/Enterprise and Bitlocker enabled, then you can just suspend the encryption prior to performing a BIOS update. Which BTW is recommended so you don't force the system to reboot asking for a recovery key. If you don't have that printed or stored elsewhere in a secure location, you'll be SOL when it asks for one. Anyways, with Bitlocker, there's no need to fully decrypt the drive just to update the BIOS.

If you are running Windows 10 Home, then perhaps you have an FDE (Full Disk Encryption, aka SED / Self Encrypting Drive) with encryption enabled in BIOS. That, or you had some 3rd party application managing its own implementation in Windows.

Nope, that was definitely W10 home and no it was not any bios set encryption, it was fully os side thing, and even if use bitlocker it will per default utilize internal disk encryption.

For TPM firmware upgrade its still recommended to rather decrypt disk to completely avoid issues, especialy for non standartized TPM 1.2 .
- TPM may in some cases not Accept recovery key
- You might not have online MS account and use local one instead in which case you cant get recovery key easily.
- recovery key might not be stored online for home version of W10

 

[thomas.mcneill]

Most SSD drives count on the ability to compress data to save space and increase throughput. If we send it encrypted data to write we lose that benefit.

 

[Gryphon Serpente]

my question is this. Is this article solely about SESD (Self Encrypting SSD)? We use MBAM as an enterprise level monitoring tool on NON Self Encrypting SSD drives and utilize the TPM chip built on the motherboards. Are these drives at risk as well?

 

[TJ Hooker]

Most SSD drives count on the ability to compress data to save space and increase throughput. If we send it encrypted data to write we lose that benefit.

What's stopping you from compressing encrypted data?

 

[stdragon]

Nope, that was definitely W10 home and no it was not any bios set encryption, it was fully os side thing, and even if use bitlocker it will per default utilize internal disk encryption.

For TPM firmware upgrade its still recommended to rather decrypt disk to completely avoid issues, especialy for non standartized TPM 1.2 .
- TPM may in some cases not Accept recovery key
- You might not have online MS account and use local one instead in which case you cant get recovery key easily.
- recovery key might not be stored online for home version of W10

If it's Windows 10 Home, I can promise you it's not Bitlocker. Unless perhaps the underlying API still exists to be leveraged and managed by a 3rd party disk encryption application?? Either way, you must pay the Microsoft tax to un-cripple the OS to support Bitlocker as a feature natively.

https://www.microsoft.com/en-us/windows/compare

As for BIOS updates - that's doesn't touch the TPM module. In fact, on many of the Dell Latitude notebooks I've worked on, they often have their own Broadcom TPM firmware update that's separate from BIOS. So updating the TPM firmware I could see needing to decrypting the drive prior. But again, with BIOS updates, you should only have to "suspend" the Bitlocker encrypted boot drive (C drive).

 

[Gryphon Serpente]

Update to my question: My company reached out to Microsoft about this and after a couple of back and forths the answer I got from them was that this only effects SESD type drives and that yes, you have to enable to GPO as stated in the article. However this report does not pertain to NON SESD drives and that

"That question has been popping up the last few days ever since the Dutch research has been published. However, I’ve confirmed from senior resources in the Bitlocker division that that particular scenario applies only to SESDs, not the normal SSDs. In case you have a normal SSD, Bitlocker applies normally and the (MBAM Validation) reports are reliable. In case SESDs are involved, using the GPO specified in the previous e-mail will be sufficient to ensure that software encryption is used. Hope this answers your question."