Tag Archives: Full Disk Encrpytion

Thunderspy – Don‘t panic!

19 May 2020

Björn Ruytenberg‘s (1) publication about 7 vulnerabilities in Intel’s Thunderbolt interface justifiably attracts a lot of media attention. Ruytenberg writes in the summary:

“Thunderspy targets devices with a Thunderbolt port. If your computer has such a port, an attacker who gets brief physical access to it can read and copy all your data, even if your drive is encrypted and your computer is locked or set to sleep.”

In Nazmus Sakib’s (2) post in the Microsoft Security Blog this sounds more dramatically:

“An attacker with physical access to a system can use Thunderspy to read and copy data even from systems that have encryption with password protection enabled.”

For the record: Full Disk Encryption (FDE) like BitLocker or LUKS only protects against theft if the computer is in shutdown or hibernation mode. In these cases, the system asks for the passphrase to encrypt the device. If the computer is booted or in sleep mode full disk encryption is useless.

This also holds for Thunderspy. The facts in brief. Thunderspy is a classic “evil maid DMA” attack. The attacker has to flash the Thunderbolt firmware with malicious code and wait for the victim to boot his computer. Once the computer is left unattended the attacker plugs in a specially crafted Thunderbolt device and copies data from the disk.

This is nothing new. The bad news is that all Thunderbolt-equipped computers built between 2011 and 2020 are affected. And that the vulnerabilities cannot be fixed; a hardware redesign is required.

So, everyone with a Thunderbolt-equipped computer should be concerned? No, absolutely not.

Risk for Consumers
The risk for consumers is unchanged because, in general, these devices are not secured, neither with a BIOS password nor with FDE, thus easy to compromise, e.g., with a Linux Live System, if left unattended.

Risk for Business people
The risk for business people is slightly increased. Business computers in general are secured with FDE, so the attacker must wait until the computer is left unattended to plug in the malicious device. Mitigation in this case requires a change in our habits: Put the computer in hibernation mode, instead in sleep mode, if you leave you workplace. The other important rule, “Don’t attach unknown devices to your computer” is already followed in the business domain.

Risk for Executives
The risk for business executives, military, government officials, etc. is unchanged. This group is always under attack, thus hopefully well protected.

Picture credit: Setreset (1)

Picture credit: Setreset (1)

Dan Goodin (3) sums it up:

“Readers who are left wondering how big a threat Thunderspy poses should remember that the high bar of this attack makes it highly unlikely it will ever be actively used in real-world settings, except, perhaps, for the highest-value targets coveted by secretive spy agencies. Whichever camp has a better case, nothing will change that reality.”

Don’t panic!


References

  1. Ruytenberg B. Thunderspy – When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security [Internet]. Thunderspy. 2020 [zitiert 18. Mai 2020]. Verfügbar unter: https://thunderspy.io/
  2. Sakib N. Secured-core PCs help customers stay ahead of advanced data theft [Internet]. Microsoft Security Blog. 2020 [zitiert 18. Mai 2020]. Verfügbar unter: https://www.microsoft.com/security/blog/2020/05/13/secured-core-pcs-help-customers-stay-ahead-of-advanced-data-theft/
  3. Goodin D. Thunderspy: What it is, why it’s not scary, and what to do about it [Internet]. Ars Technica. 2020 [zitiert 13. Mai 2020]. Verfügbar unter: https://arstechnica.com/information-technology/2020/05/thunderspy-what-is-is-why-its-not-scary-and-what-to-do-about-it/

PIcture credit

  1. Setreset / CC BY-SA (https://creativecommons.org/licenses/by-sa/3.0), https://commons.wikimedia.org/wiki/File:Spy_silhouette.svg

Vulnerabilities in self-encrypting SSDs let cyber criminals bypass BitLocker Full Disk Encryption. Don’t Panic!

25 November 2018

Full disk encryption (FDE) applications like BitLocker represent the final bastion in protection against theft and loss of laptops.

No wonder that post “Flaws in Popular SSD Drives Bypass Hardware Disk Encryption”[1], published by Lawrence Abrams on 11/5/2018 at Bleeping Computer, irritated the security community largely.

I scanned the announcement from Radboud University[2] and the preliminary version of the research paper and found no need to enter panic mode.

Hard Drive Lock by Hello Many from the Noun Project

Hard Drive Lock by Hello Many from the Noun Project

What happened. Researchers from Radboud University in The Netherlands found two critical security weaknesses, CVE-2018-12037 and CVE-2018-12038, in the encryption of some SSDs allowing access to the data without knowledge of any secret. Windows 8/10 BitLocker is able to make use of the hardware encryption capabilities to speed up the encryption process. Thus, BitLocker is compromised.

During normal operating conditions it is hardly possible to exploit these vulnerabilities because a cyber criminal must remove the SSD from the computer and connect a hardware debugger to reach the secrets.

Thus we face an increased risk if the device is left unattended, e.g. evil maid attack[3], lost or stolen. Or, if the device was lost some time ago and kept unchanged for whatever reasons.

Actually, you should have procedures in place to deal with stolen or lost devices. These must be updated now:

  • Users must change their passwords directly after the loss of a device is reported.
  • All certificates, soft and hard tokens used for securing remote access or access to sensitive data and services must be invalidated directly after a loss is reported.
  • The help desk must be notified of the loss and advised to report a security incident in the case of requests regarding the stolen device or the affected user accounts.

In any case, to keep the impact of a loss small the best advice for users is to store as little as possible sensitive data on portable devices.

For details on how to handle this issue please refer to the Microsoft security advisory ADV180028[4], published on 11/6/2018.

The big question is: Who takes care of the self encrypting external usb disks with keypad based on the buggy SSDs?

Have a great week.


  1. Abrams L. Flaws in Popular SSD Drives Bypass Hardware Disk Encryption [Internet]. BleepingComputer. 2018 [cited 2018 Nov 17]. Available from: https://www.bleepingcomputer.com/news/security/flaws-in-popular-ssd-drives-bypass-hardware-disk-encryption/
  2. Radboud University. Radboud University researchers discover security flaws in widely used data storage devices [Internet]. Radboud University. 2018 [cited 2018 Nov 17]. Available from: https://www.ru.nl/english/news-agenda/news/vm/icis/cyber-security/2018/radboud-university-researchers-discover-security/
  3. Rouse M. What is evil maid attack? – Definition from WhatIs.com [Internet]. SearchSecurity. 2018 [cited 2018 Nov 25]. Available from: https://searchsecurity.techtarget.com/definition/evil-maid-attack
  4. MSRC M. ADV180028 | Guidance for configuring BitLocker to enforce software encryption [Internet]. Security TechCenter. 2018 [cited 2018 Nov 17]. Available from: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028