The value of encryption is hard to overestimate. When it works, it means that even if your data is accessed without authorisation, it cannot be read (and by extension, cannot be exploited) by the attacker; something that makes encryption an essential layer of defence for anyone who’s serious about IT security.
So how should you go about encrypting the data stored on your devices? Well, these days, security-savvy buyers have been gravitating towards self-encrypting drives (SEDs) – and it’s easy to see why. With these, every data file that goes onto the drive gets encrypted automatically at hardware level. It’s fast, effective – and doesn’t involve any additional software. What’s not to love?
There’s just one killer flaw: researchers have just discovered that if you have access to the targeted device (along with just a little bit of technical know-how), for many SEDs, it’s possible to bypass the hardware encryption altogether.
Here’s a closer look at the vulnerabilities – and at what you can do to guard against it…
Self-encrypting solid state drives: what are we talking about?
First off, a word about device storage and the choice between Hard Disk Drive (HDD) and Solid State Drive (SSD) components…
- It wasn’t so long ago that Solid State Drives (SSDs) were the preserve of power users. But as the price of SSDs has fallen, it’s now the case that if you want quick, reliable performance from a laptop or PC, SSD is an increasingly affordable option (even if you have an entire workforce to kit out).
- If you go for SSD, the choice is usually dictated by performance-related reasons (in particular, boot-up time, copy/write speeds, file & program opening speeds all tend to be that much quicker). At the same time, wearing your security hat, you should also be seriously considering Full Disk Encryption to protect the data stored on devices. As it happens, many SSDs (e.g. Samsung’s popular Evo 840, 850 and 860 ranges) are also self-encrypting drives.
How SEDs work
With these, the encryption process is carried out with the use of a unique and random Data Encryption Key (DEK). When data is written to the drive, the DEK encrypts it – and the same DEK decrypts it when the data needs to be read by an authorised user.
Access is controlled via an Authentication Key (AK): a form of password authentication that locks the drive until the correct key is entered.
So what’s the problem?
Researchers at Radboud University in the Netherlands have recently uncovered what they refer to as “a pattern of critical issues” that affect SEDs on sale from various vendors. You can view the full paper here. Crucially, their research has shown that in many popular self-encrypting SSDs, it is possible to bypass the encryption entirely, meaning that in theory, you can access the data, even if you don’t have access to the authentication key.
Which SSDs are affected?
The researchers were able to successfully attack the following SSD models:
- Crucial MX100, MX200 and MX300
- Samsung Samsung 840 EVO, 850 EVO, T3 Portable and T5 Portable
The researchers point out, however, that this was not a full-market test. Many other SSDs may also be exposed.
What are the specific vulnerabilities?
Summarising the issues found, one of the researchers tweeted, likening the situation to “leaving the keys to the safe, under the safe”. The main vulnerabilities were as follows:
- No proper link between the DEK and the AK. The researchers said they were able to connect to the drive’s debug interface on its circuit board. This gave them direct access to the drive’s firmware, enabling them to modify the password-checking routine to accept any passphrase.
- A blank master password by default. With the Crucial MX 300 SSD, the researchers found that the device’s master password was set as an empty string by default. If this remained unaltered, it meant that the data could be unlocked simply by submitting an empty field!
There’s more: issues with BitLocker
BitLocker is Windows’ proprietary inbuilt encryption software. The researchers highlighted a problem relating to the way in which BitLocker interacts with SEDs. Basically, where hardware-based encryption is available, BitLocker uses this by default – in place of its own software-based encryption process.
So if your SSD is vulnerable, then even if you have BitLocker running, your data is still exposed.
How to deal with the problem
For the BitLocker issue, you can change the default setting and instruct the program to use software-based encryption only. This is done by accessing the Local Group Policy Editor (enter “gpedit.msc” in the Run dialog. Navigate to “Computer Configuration/Administrative Templates/Windows Components/BitLocker Drive Encryption. Double click on “Configure use of hardware-based encryption for fixed data drives – and select “Disabled”.
As an alternative to BitLocker, you can also use the open source VeraCrypt tool for encryption. (Unlike BitLocker, this can also be used on Windows Home editions).
For its EVO drives, Samsung now recommends installing encryption software. Crucial has already released patches for its affected drives – as has Samsung for its T3 and T5 SSD models.
I have always been concerned about possible flaws in SSD encryption, so have always been recommending open source software encryption like VeraCrypt instead of SSD encryption, where the code has been audited.
The message is clear: consider using full disk encryption at the software level – and always keep on top of your patch updates.
Very very thankful man! Prety good tip!
Mildo
Thanks
I love learning from you! You do know your stuff.
Powerful lecturer
Thank you sir.
Thank you for usedul information.
I have 850 EVO :(. At least I know now that I’m not so secured as was stated.
No problem.
There should be patches soon.
Hi Nathan, i just updated the latest security patches for my samsung SSD T5 but i guess you still don’t recommend the samsung hardware encryption software.
You can’t rely on SSD encryption at this point as they haven’t been scrutinised by third parties.
Thank you, Nathan. Quick and precise as always. 🙂
Thanks
Thanks for the information Nathan as well as the VeraCrypt recommendation. Can you recommend a public-key encryption software as well?
Regards,
Brandon
What do you want to use the public-key encryption software for?
For emails mostly and I also will probably use it for digital signing/authentication. Encryption is completely new to me and as I am in course 1 I want to get started with something, but not sure what is trustworthy. Since I posted my original comment I have tried out GPG4win because it was open source.
Regards,
Brandon
See volume 4 where we cover this. GPG is covered.
Thank you for the heads up Mr. House.
You are welcome.
Thank you for the heads up. Not happy to hear that, the main reason for me to go with hardware based full disk encryption is that it is faster than software based, or at least not atrociously slow. So back to veracrypt, or pretend I did not read your alert
Using SSD encryption is a risk as it’s not gone through the rigor of public security testing other solutions have.
Thank you Nathan. This is a great thread about SSD and SED’s
Thanks Nathan
Nathen, always surprise me with your alerts. Happy i click the link of your YouTube course that day. Thanks is not enough for what your passion an knowledge of CS has done for me and others.
Mr. A, MSIT, IAS
Thank you
Thanks Mr.Nathan for this information.
Thanks for the information, Nathan. As always you keep us up to date on security issues, much appreciated.
Thank you.
Thank you for sharing those info! Amazing lecturer though!
Thank you.
Thank you for the information.
Do you have any link with information on what impact does it have to use software vs hardware based Bitlocker encryption on Samsung SSD HDDs?
And do you know if I make a change to existing Bitlocker encrypted SSD hardrives with hardware encryption method to Disable using group policy and force the drives to use software based encryption method if they will re-encrypt?
Or if I have to remove encryption first and then redeploy the encryption using group policy to use software based encryption method?
Thank you,
Ladislav
Yes the link to the report in the article.
Follow the advice in the article.
thanks nathan for these awesome updates !
thanks nathan for these awesome updates
Thanks for this value update. Just thinking about implementing Bitlocker on my laptop…
Nice and very useful post!!
Thanks Nathan!
Great Job , always your subjects are useful and real ideas. Keep going .
Very beneficial and educational.
Thank you so much
Nathan, what is a good and more secure Encryption and Hash Algorithm ? for use with VeraCrypt or other software?
Thanks
Your question doesn’t make sense sorry. You use the built in encryption with it. AES is a good choice.
You are Awesome Sir. Thank you for all you do to keep us updated. Awesome instructor as well.
Thank you for information, Nathan
Could you put more information on TPM(Trusted Platform Module) devices
This is covered on The Complete Cyber Security course. Volume 4. Doesn’t really relate to this article though.
I use bitlocker primarily to separate my different Windows installations, so that I can run one in more risky ways, watch videos on sites loaded with adware, download torrents and whatever, and I take less a risk of some malware being able to write something malicious to my other installations.
Nice Lecture! Thanks for this informations.
I’m running BITdefender on macOS.
Is it useless or even worse harmful??
Thank you.
Antivirus/end point protection is covered fully in volume 4 of The complete Cyber Security Course. Currently the efficacy of antivirus is questionable. i.e. it doesn’t stop many attacks! Personally I don’t use any on Windows, Mac or Linux and don’t perform actions that can infect my machine. (The actions covered in the course.) But if you’re on Windows and want an extra (but not reliable layer) of security then you may want to go with an antivirus product. Windows 10 AV defender is ok and it has sand boxing https://www.stationx.net/new-sandbox-mode-for-windows-10-defender-antivirus-heres-why-you-should-pay-attention/
Antivirus on Mac and Linux is currently not worth installing.
I don’t currently recommend any product. I recommend doing your own research and watch volume 4.
https://www.av-comparatives.org/dynamic-tests/
https://www.av-test.org/en/
Usefull Information, I didn`t know SED existed and they are vulnerable, the alternative to Bit Locker is also interesting and the solution to Bit Locker vulnerability is amazing
A quick question about a Samsung 850 EVO… if someone issues a “secure erase” on the drive, there is no way this flaw would effect that correct? ; in that once the Secure Erase command is issued, all data on it prior to that point is not recoverable, correct?
In theory it should work yes unless there is a bug. To be double safe encrypt the drive again with something like Veracrypt and loose the key.
This is certainly eye-opening, and very surprising as I was relying on hardware SSD encryption for a while.
You mentioned that Crucial has released patches for their drives. Does that mean that the problem is solved at least for the Crucial SEDs?? Thanks.
It means that the vulnerability that was discovered at the time was fixed. Might there be others? Yes. The message is to be careful if you think SSD encryption can be relied upon. Maybe use something like veracrypt which has had more testing on it. Or both.
Nathan, does this mean that the root cause of the problem resides in how vendors have implemented hardware-level encryption specifications?
Hi Nathan Excellent article. Your advice on disabling the hardware-based encryption for fixed data drives is duly noted but I note that accessing the Local Group Policy Editor and then Configure use of hardware-based encryption – this option reads as “NOT CONFIGURED” and in the explanatory notes under the “help” it further states that “If you do not configure this policy setting, BitLocker will use software-based encryption irrespective of hardware-based encryption availability.”
So does that mean that I should leave this option “as-is” to “NOT CONFIGURED” setting? Because this is what we essentially want Bitlocker to do that this “not use hardware-based encryption – correct?
I have couple of internal SSD’s already encrypted by bitlocker and I’m afraid if I select “Disabled” option I may need to re-do the encryption and then encrypt it again
Pleased to hear
thanks/kc