Tag Archives: Evil Maid Attack

Vulnerabilities in self-encrypting SSDs let cyber criminals bypass BitLocker Full Disk Encryption. Don’t Panic!

25 November 2018

Full disk encryption (FDE) applications like BitLocker represent the final bastion in protection against theft and loss of laptops.

No wonder that post “Flaws in Popular SSD Drives Bypass Hardware Disk Encryption”[1], published by Lawrence Abrams on 11/5/2018 at Bleeping Computer, irritated the security community largely.

I scanned the announcement from Radboud University[2] and the preliminary version of the research paper and found no need to enter panic mode.

Hard Drive Lock by Hello Many from the Noun Project

Hard Drive Lock by Hello Many from the Noun Project

What happened. Researchers from Radboud University in The Netherlands found two critical security weaknesses, CVE-2018-12037 and CVE-2018-12038, in the encryption of some SSDs allowing access to the data without knowledge of any secret. Windows 8/10 BitLocker is able to make use of the hardware encryption capabilities to speed up the encryption process. Thus, BitLocker is compromised.

During normal operating conditions it is hardly possible to exploit these vulnerabilities because a cyber criminal must remove the SSD from the computer and connect a hardware debugger to reach the secrets.

Thus we face an increased risk if the device is left unattended, e.g. evil maid attack[3], lost or stolen. Or, if the device was lost some time ago and kept unchanged for whatever reasons.

Actually, you should have procedures in place to deal with stolen or lost devices. These must be updated now:

  • Users must change their passwords directly after the loss of a device is reported.
  • All certificates, soft and hard tokens used for securing remote access or access to sensitive data and services must be invalidated directly after a loss is reported.
  • The help desk must be notified of the loss and advised to report a security incident in the case of requests regarding the stolen device or the affected user accounts.

In any case, to keep the impact of a loss small the best advice for users is to store as little as possible sensitive data on portable devices.

For details on how to handle this issue please refer to the Microsoft security advisory ADV180028[4], published on 11/6/2018.

The big question is: Who takes care of the self encrypting external usb disks with keypad based on the buggy SSDs?

Have a great week.


  1. Abrams L. Flaws in Popular SSD Drives Bypass Hardware Disk Encryption [Internet]. BleepingComputer. 2018 [cited 2018 Nov 17]. Available from: https://www.bleepingcomputer.com/news/security/flaws-in-popular-ssd-drives-bypass-hardware-disk-encryption/
  2. Radboud University. Radboud University researchers discover security flaws in widely used data storage devices [Internet]. Radboud University. 2018 [cited 2018 Nov 17]. Available from: https://www.ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/radboud-university-researchers-discover-security/
  3. Rouse M. What is evil maid attack? – Definition from WhatIs.com [Internet]. SearchSecurity. 2018 [cited 2018 Nov 25]. Available from: https://searchsecurity.techtarget.com/definition/evil-maid-attack
  4. MSRC M. ADV180028 | Guidance for configuring BitLocker to enforce software encryption [Internet]. Security TechCenter. 2018 [cited 2018 Nov 17]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028
Advertisements

Intel AMT flaw lets attackers take control of laptops in 30 seconds

20 January 2018

Intel’s Active Management Technology (AMT) offers impressive management features to company IT shops:

  • Asset discovery
  • Out-of-band management functions to fix systems even if the OS went down
  • Contain the impact of malware

As any other software, AMT has configuration issues and vulnerabilities. For example, in 2015 default factory settings could be leveraged by an attacker to gain full control over devices from the network. Last year, four vulnerabilities were published in the NVD Database.

The latest configuration issue published on January 12, 2018 by F-Secure researchers allows attackers with physical access to compromise systems easily:

Just press CTRL-P during boot and log into Intel Management Engine BIOS Extension (MEBx) using the default password “admin”. With this, an attacker can reconfigure the system to allow for example remote access once the system is booted and left unattended.

This type of attack is called Evil Maid Attack. It is used especially by cyber criminals and nation state actors to compromise systems.

Although Intel made recommendations to mitigate this issue, the F-Secure report makes clear, that the OEM’s did not implement them and that the system managers did not change the AMT password on delivery to the users.

With this, we have no choice but to set individual AMT and BIOS passwords on all laptops and mobile devices with AMT enabled. This is going to be a hard job in companies with some thousand devices.

A risk based approach makes sense: Start with the top management and employees which have access to business-critical information.

Have a great weekend.