nir Posted November 7, 2018 Share Posted November 7, 2018 The issue is caused by an issue in SSD encryption system One of the most recent bugs hitting Windows 10 users concerns BitLocker encryption, as this feature is compromised by an issue discovered by security researchers in a number of SSDs. Specifically, Dutch security researchers Carlo Meijer and Bernard von Gastel from Radboud University came across an issue that allows the hardware encryption system on specific solid state drives to be bypassed without an encryption key, letting a potential cybercriminal to access the data stored on the drives. Due to this bug, the BitLocker feature in Windows is compromised as well, as by default, the OS encryption system uses hardware encryption if available. In other words, BitLocker is configured in a way that prioritizes the use of hardware encryption whenever SSDs installed on the system support it. If hardware encryption isn’t available, BitLocker automatically enables software encryption. Microsoft has already confirmed the bug and recommends users to switch to software encryption until new firmware resolving the issue is released by the manufacturers of the impacted SSDs. First and foremost, you need to check whether BitLocker uses hardware or software encryption on your system. To do this, launch an elevated Command Prompt windows (type cmd.exe in the Start menu, right-click the result, and click Run as administrator) and type the following command: manage-bde.exe -status If any of the drives report Hardware Encryption in the Encryption Method section, you need to switch to software encryption for that specific drive. Before doing this, there’s one critical thing you need to do. BitLocker encryption needs to be turned off in order for Windows to decrypt your files and only then enable software encryption. If you don’t do this, the feature will fail to activate, as your data is already encrypted. To change the type of encryption used by BitLocker, launch the Group Policy Editor by typing gpedit.msc in the Start menu. Navigate to the following path: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives In the right pane, look for a policy that uses the following name: Configure use of hardware-based encryption for operating system drives Double-click this policy to change its status (by default it should be set to Not Configured) and select the Disabled option. Click OK and that’s it. Reboot your system and then re-enabled BitLocker. You can run the command mentioned above to check the encryption method used on your drive. If the aforementioned change was applied correctly, your drives should now be encrypted using a software encryption system. If you want to configure the encryption method for other drives on your system where Windows is not installed, you need to follow the next paths in the Group Policy Editor: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives*and* Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives Open each of the two locations and look for a policy that’s also called: Configure use of hardware-based encryption for fixed data drives*and* Configure use of hardware-based encryption for removable data drives Double-click each policy individually and switch it to Disabled. Again, you need to disable BitLocker if the feature was already running using hardware encryption before applying these changes. Reboot your system after making the policy changes and then enable BitLocker once again. To enable and disable BitLocker for any of your drives on Windows 10, type BitLocker in the Start menu and press Enter. You’ll be redirected to a Control Panel UI where you’ll see your drives and the status of BitLocker for each of them. Just click Turn on BitLocker to enable it (if it’s off) or Turn off BitLocker (if it’s on) to change its status. Source Link to comment Share on other sites More sharing options...
nir Posted November 7, 2018 Author Share Posted November 7, 2018 Microsoft Tells Windows 10 BitLocker Users: Turn It Off And On Again Roy, the unsympathetic technical support character in the cult television comedy The IT Crowd, would always start his user conversations with "Hello, IT. Have you tried turning it off and on again?" Now Microsoft has offered the same advice to users of the BitLocker full disk encryption feature in Windows 10 Pro and Enterprise versions. The guidance comes in security advisory ADV18002 issued by Microsoft after researchers disclosed the hardware encryption of self-encrypting solid state drives (SSDs) could be exploited through multiple security vulnerabilities. Research by Carlo Meijer and Bernard van Gastel from the Radboud University in the Netherlands, who reverse engineered 'several' self-encrypting solid state drives (SSDs), found a number of vulnerabilities that would allow for "full recovery of the data without knowledge of any secret when you have physical access to the drive." OK, that last requirement does rather reduce the real-world impact of the threat but not enough to make it negligible. After all, it means that a lost or stolen drive, even one that someone else has relatively fleeting access to, could be exploited and data accessed. Indeed, as the researchers point out, this means that users should "not rely solely on hardware encryption offered by SSDs for data confidentiality." Especially as the reverse engineering tests were performed across SSDs from vendors representing approximately half of the SSD market in total. The critical vulnerabilities discovered were found using $115 worth of hardware and "using public information." That is as much as the researchers are saying when it comes to the exact exploitation tools they used, which is a wise decision seeing as if known they could be replicated easily and cheaply I am guessing. What the researchers are saying, however, is that the vulnerabilities themselves can be split into two distinct classes. An absence of cryptographic binding between the user password and the key used to encrypt the data is the first of them. The second class of vulnerability is one involving key information that is stored in a 'wear-levelled' storage chip and which can remain despite logical level overwrites. As users of Windows 10 Pro or Enterprise have access to, and will likely use, the full-disk encryption BitLocker feature, Microsoft has acted quickly. It has issued a security advisory for configuring BitLocker to enforce software encryption, which will not be the default as BitLocker exclusively uses hardware encryption if the drive indicates supports for it. The advisory states "On Windows computers with self-encrypting drives, BitLocker Drive Encryption manages encryption and will use hardware encryption by default. Administrators who want to force software encryption on computers with self-encrypting drives can accomplish this by deploying a Group Policy to override the default behavior." BitLocker users who are unaware what type of encryption is being employed can run the command 'manage-bde.exe -status' from an elevated privilege prompt. In order to mitigate the vulnerabilities that some self-encrypting drives apparently now represent, Windows users should deploy a group policy enabling forced software encryption and then turn BitLocker off in order to hardware decrypt and then on again to re-encrypt in software. Roy would be proud. Richard Slater, principal consultant at Amido, told me that the impact of the vulnerabilities is potential far-reaching. Especially as it's not known at the moment if the drives from manufacturers that weren't on the test-bench are also vulnerable. "The advice from Microsoft to disable hardware encryption in BitLocker entirely isn't going to help with devices not connected to a corporate Active Directory domain or network" Slater points out, continuing "our tech-ops team have jumped on the issue and are putting together a plan for how we mitigate this risk across our organization." You might think that banks, which typically use third-party encryption controls, would therefore be pretty much immune to this issue. However, Slater says that many of these tools are increasingly reliant on BitLocker as the underlying mechanism. "The industry has put a huge amount of trust that BitLocker hardware encryption provides effective encryption-at-rest capabilities" he explains, adding "it's a huge disappointment for the IT industry in both Microsoft's blind trust of hard drive manufacturers and those that developed the flawed hardware encryption in the first place." Meanwhile, Ian Trump, head of cyber security at AmTrust International, thinks that in the fast-moving world of storage products which have code running on them and the complexity of modern operating system, this probably all comes down to that time-honored excuse of 'I thought YOU were going to look after that issue?' "It does raise questions about how code on a hard drive API interfaces with the Operating System and how BitLocker really works" Trump said in conversation this afternoon. He argues that if your business had enabled BitLocker that indicates enough due-diligence from a regulatory compliance perspective. "I don't think it's reasonable to expect everyone to reverse engineer a security feature to test its level of robustness" he pointed out, "unless your threat model indicates malicious actors are really after your data." I bow to the greater wisdom of Mr Trump, not something you'll find many people saying today of all days I imagine, when this Trump imparts some hard-earned lessons in InfoSec: Trust but verify. Crypto implementations are hard. Crypto implementations are super-duper really hard in the hyper-competitive 'the storage product has to ship today' world. In the meantime, I recommend all BitLocker users to go and implement that IT Crowd advice... Source Link to comment Share on other sites More sharing options...
mymiabear Posted November 8, 2018 Share Posted November 8, 2018 I have a Samsung 850 EVO with hardware encryption. I PURPOSELY enabled hardware encryption because it made it ridiculously faster (read:INSTANT) to encrypt/decrypt the drives when doing windows reinstalls. Samsung's response to this: Don't use bitlocker and use third party. W T F Instead of fixing the product after advertising hardware encryption, that's their answer? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.