Image for post
Image for post

Doh! What My Encrypted Drive Can Be Unlocked By Anyone?

When a password of “” can open up your encrypted drive

Many companies now use full disk encryption for their computers, especially for laptops on the move. So while the usage of TrueCrypt has faded, especially when its open source developers gave up maintaining the code, it has been up to Microsoft BitLocker to take over and become the tool of choice for encrypting disk drives.

But is it actually robust? Well, not if you read this paper [link]:

Image for post
Image for post

I cannot even start to explain how bad this discovery is for the industry, and a complete embarrassment for the vendors involved. The lack of integration between vendors seems almost negligent in the extreme.

The paper outlines that some SSD drives (including Samsung and Crucial) do not actually encrypt the data properly, and that they can be easily by-passed without a system password.

The manufacturers of the drives have been informed through ethical disclosure (in April 2018), and users are being asked to rely on software encryption rather than the embedded hardware encryption. A particular risk is Windows BitLocker — which has a virtual monopoly in the market place for complete disk encryption — as it often relies on the hardware encryption used in the SSD drives.

The affected disks include:

  • Crucial (Micron) MX100, MX200 and MX300 internal hard disks.
  • Samsung T3 and T5 USB external disks.
  • Samsung 840 EVO and 850 EVO internal hard disks.

The research team did not run tests across all the available SSD disks, but found that the following disks could be compromised with a range of attacks:

The researchers investigated the MASTER PASSWORD CAPABILITY bit
in the firmware and which can be set so that a factory-set Master password can unlock the drive. For the Samsung MX300 SSD it was found there was no need to set this bit as it could be reset by decrypting the RDS key. The master password thus protects the main encryption key used for the disk. In the case of the MX300 drive this is “” (an empty string!!!!!!!!!!!!!). Yes … you read that correctly … the password which releases the encryption key for the whole disk is an empty string (32 NULL characters — 32 0x00 byte values):

Image for post
Image for post

Within disk encryption, a system can either use software encryption (and where the data is encrypted before it is presented to the disk) or use hardware encryption (and where the operating system relies on the disk hardware to encrypt and decrypt). The setting for software or hardware encryption is defined in a Group Policy [here]. If the disk supports hardware encryption it will use that option. For the disks effected, a complete reinstall it required, and where the group policy is changed to software encryption. Otherwise a software encryption package named VeraCrypt is recommended as an alternative to BitLocker.

Conclusions

If you need to have full disk encryption, and you have an SSD drive, you just cannot trust hardware encryption. At least with software encryption the data is encrypted before it gets anywhere near your disk. A master password of “” (an empty string — or 32 NULL characters) is shocking, and negligence of the highest kind.

The researchers recommend using an open sourced (and auditable) software encryption method such as VeraCrypt, along with hardware encryption. VeraCrypt is based on the well-loved TrueCrypt open-sourced software distribution:

ASecuritySite: When Bob Met Alice

This publication brings together interesting articles…

Prof Bill Buchanan OBE

Written by

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

ASecuritySite: When Bob Met Alice

This publication brings together interesting articles related to cyber security.

Prof Bill Buchanan OBE

Written by

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. EU Citizen. Auld Reekie native. Old World Breaker. New World Creator.

ASecuritySite: When Bob Met Alice

This publication brings together interesting articles related to cyber security.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store