Tag Archives: BitLocker

Vulnerabilities in self-encrypting SSDs let cyber criminals bypass BitLocker Full Disk Encryption. Don’t Panic!

25 November 2018

Full disk encryption (FDE) applications like BitLocker represent the final bastion in protection against theft and loss of laptops.

No wonder that post “Flaws in Popular SSD Drives Bypass Hardware Disk Encryption”[1], published by Lawrence Abrams on 11/5/2018 at Bleeping Computer, irritated the security community largely.

I scanned the announcement from Radboud University[2] and the preliminary version of the research paper and found no need to enter panic mode.

Hard Drive Lock by Hello Many from the Noun Project

Hard Drive Lock by Hello Many from the Noun Project

What happened. Researchers from Radboud University in The Netherlands found two critical security weaknesses, CVE-2018-12037 and CVE-2018-12038, in the encryption of some SSDs allowing access to the data without knowledge of any secret. Windows 8/10 BitLocker is able to make use of the hardware encryption capabilities to speed up the encryption process. Thus, BitLocker is compromised.

During normal operating conditions it is hardly possible to exploit these vulnerabilities because a cyber criminal must remove the SSD from the computer and connect a hardware debugger to reach the secrets.

Thus we face an increased risk if the device is left unattended, e.g. evil maid attack[3], lost or stolen. Or, if the device was lost some time ago and kept unchanged for whatever reasons.

Actually, you should have procedures in place to deal with stolen or lost devices. These must be updated now:

  • Users must change their passwords directly after the loss of a device is reported.
  • All certificates, soft and hard tokens used for securing remote access or access to sensitive data and services must be invalidated directly after a loss is reported.
  • The help desk must be notified of the loss and advised to report a security incident in the case of requests regarding the stolen device or the affected user accounts.

In any case, to keep the impact of a loss small the best advice for users is to store as little as possible sensitive data on portable devices.

For details on how to handle this issue please refer to the Microsoft security advisory ADV180028[4], published on 11/6/2018.

The big question is: Who takes care of the self encrypting external usb disks with keypad based on the buggy SSDs?

Have a great week.


  1. Abrams L. Flaws in Popular SSD Drives Bypass Hardware Disk Encryption [Internet]. BleepingComputer. 2018 [cited 2018 Nov 17]. Available from: https://www.bleepingcomputer.com/news/security/flaws-in-popular-ssd-drives-bypass-hardware-disk-encryption/
  2. Radboud University. Radboud University researchers discover security flaws in widely used data storage devices [Internet]. Radboud University. 2018 [cited 2018 Nov 17]. Available from: https://www.ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/radboud-university-researchers-discover-security/
  3. Rouse M. What is evil maid attack? – Definition from WhatIs.com [Internet]. SearchSecurity. 2018 [cited 2018 Nov 25]. Available from: https://searchsecurity.techtarget.com/definition/evil-maid-attack
  4. MSRC M. ADV180028 | Guidance for configuring BitLocker to enforce software encryption [Internet]. Security TechCenter. 2018 [cited 2018 Nov 17]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028
Advertisements

Does that make sense: Bitlocker for Desktop Computers?

13 January 2015

The answer is: It definitely makes sense.

Okay, this sounds strange because it’s not very likely that a desktop computer will be lost. But if your computer is stolen, the thief has full access to the data stored on the disk, even if he could not login to your system.

An attacker has just to boot a Linux from a USB stick and to mount the Windows hard disk into the Linux filesystem. This will allow him to read the information stored on your computer, credit card statements, insurance policies, or scanned love letters.

But the worst is yet to come. The thief has access to your hashed Windows passwords. These are stored in the SAM (System Account Manager) database in directory C:\windows\system32\config\sam. The SAM is locked when Windows is online, but could be easily read when mounted into a Linux System. Very strong passwords are paying off in such case…

Don’t Panic, and have a good day.

Sunset on rhine ferry Leverkusen, 11/28/2014

Sunset on Rhine Ferry Leverkusen, 11/28/2014

The course towards security is set upon purchase of a computer

10 January 2015

In his report SME security on a shoestring budget Vladimir Jirasek aptly describes the state of the SME (Small- and Medium-sized Enterprises): They are the motors of economy! And increasingly susceptible to cyber-attacks, because they have only very limited IT budgets to spent.

Fortunately Microsoft provides lots of advice and free tools to help SME in the struggle against cyber-attacks. In addition lots of open software tools are available which help to boost security. Vladimir Jirasek discusses some of the fundamental built-in security measures for the safe operation of computers.

But the course towards security is set upon purchase of the computer. Please see below for my recommendations for Microsoft Windows-based computers

  • Select the 64-bit versions of Windows if you have the choice

I strongly recommend to buy a computer with a 64-bit Windows operating system, preferably Windows 8.1. Even with 4 GB Ram only, a 64-bit operating system makes sense because some security features like Enhanced Protection Mode in Internet Explorer require 64-bit processes.

Other security features, e.g. ASLR (Address Space Layout Randomization), which guards against buffer overflow attacks, work far more effective in a 64-bit environment.

Please check in advance whether your applications are 64-bit ready. Most of the 32-bit apps work without problems with a 64-bit windows.

The 64-bit Windows versions are normally available at no extra costs with a new computer. Please ask your reseller.

  • Select the professional versions of Windows if you have the choice

In the professional versions of Windows Vista, 7 and 8 is Microsoft’s drive encryption feature BitLocker included. If BitLocker is activated you have to enter a passphrase at boot time to release the drive. In the event of theft or loss a third party could not access the information on the drive because he does not know the passphrase to release the drive. BitLocker could be used to protect other storage devices as well.

The additional costs for the professional versions are at approx. 40 US$ if you buy a new computer.

With 64-bit Windows Professional the gain in security is high at moderate additional costs. I would recommend this choice even for home users.

That’s it for today. Have a nice Weekend.