Share this article

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

Microsoft acknowledges major SSD encryption security issue

4 min. read

Updated onOctober 10, 2022

updated onOctober 10, 2022

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

Microsoft recently issued a Security Advisory (ADV180028) warning forusersof self-encryptedsolid state drives(SSDs) usingBitlockerencryption systems.

Thissecurityadvisory came after twosecurityresearchers from the Netherlands, Carlo Meijer and Bernard van Gastel, issued a draft paper outlining vulnerabilities they discovered. Here is the abstract summarising the problem:

We have analyzed the hardware full-diskencryption of severalSSDsby reverse engineering their firmware. In theory, thesecurityguarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have criticalsecurityweaknesses, for many models allowing for complete recovery of thedatawithout knowledge of any secret.

If you have seen the paper, you can read about all the different vulnerabilities. I will concentrate on the two main ones.

SSD Hardware Encryption Security

Microsoft knew there was a problem withSSDs. So in cases of self-encryptedSSDs, Bitlocker would allow theencryptionused by theSSDsto take over. Unfortunately, for Microsoft, this didn’t solve the problem. More from Meijer and van Gastel:

BitLocker, the encryption software built into Microsoft Windows will rely exclusively on hardware full-diskencryption if theSSDadvertises supported for it. Thus, for thesedrives,dataprotected by BitLocker is also compromised.

The vulnerability means that any attacker who can read the SEDsusermanual, can access themaster password. By getting access to the masterpassword, attackers can bypass theuser-generatedpasswordand access thedata.

Fix Master Password Vulnerabilities

In reality, this vulnerability would seem to be quite easy to fix. Firstly, theusercan set their own masterpassword, replacing the one generated by the SED vendor. This user-generatedpasswordwould not then be accessible to an attacker.

The other option would seem to be to set the MasterPasswordCapability to ‘maximum’, thus disabling the masterpasswordaltogether.

Of course, thesecurityadvisory comes from the assumption that the averageuserbelieves that an SED would be safe from attackers, so why would anyone do either of these things.

User Passwords and Disc Encryption Keys

Another vulnerability is that there is no cryptographic binding between the userpasswordand the disc encryption key (DEK) used to encrypt thepassword.

In other words, someone could look inside the SED chip to find the values of the DEK and then use those values to steal the localdata. In this case, the attacker would not require the userpasswordto get access to thedata.

Not All SSDs May Be Affected

However, I would like to point out two things. Firstly, Meijer and van Gastel only tested a fraction of allSSDs. Do the research of yourSSDand see if it may have a problem. Here are theSSDsthe two researchers did test:

Attackers Need Local Access

Also note that this needs local access to theSSDas attackers need to access and manipulate the firmware. This means that yourSSDand thedatait holds is, theoretically, safe.

Having said that, I don’t mean that this situation should be treated lightly. I will leave the last word to Meijer and van Gastel,

This [report] challenges the view that hardware encryption is preferable over software encryption. We conclude that one should not rely solely on hardware encryption offered bySSDs.

Wise words indeed.

Have you discovered an unlistedSSDthat has the same security issue? Let us know in the comments below.

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

Microsoft acknowledges major SSD encryption security issue#

SSD Hardware Encryption Security#

Fix Master Password Vulnerabilities#

User Passwords and Disc Encryption Keys#

Not All SSDs May Be Affected#

Attackers Need Local Access#