Microsoft stops trusting SSD maker hardware encryption

by Mark Tyson on 30 September 2019, 11:11

Tags: Microsoft (NASDAQ:MSFT), Samsung (005935.KS), Crucial Technology (NASDAQ:MU)

Quick Link: HEXUS.net/qaeedc

Add to My Vault: x

In the wake of the "pattern of critical issues" in SSD encryption, revealed last year by researchers at Radboud University in Holland, Microsoft issued a security advisory regarding a vulnerability that affects hardware-based encryption on SSDs. The issue was because of SSD firmware makers using master passwords and / or faulty standards implementations - thus your hardware encrypted data would be pretty easy to poke through in many cases.

Initially Microsoft recommended admins configure BitLocker to "enforce software encryption," in light of the vulnerabilities in the hardware encryption of certain self-encrypting drives (SEDs). Now it has gone a step further, with an update to Windows 10 default BitLocker behaviour - meaning the system will by default use software encryption - even if the drive is flagged as 'self-encrypting'.

Within the Windows 10 1709 update KB4516071 released last week you will find there are numerous improvements and fixes. As well as the highlighted update to an issue that "causes excessive CPU usage when you switch applications or hover over the Taskbar," Microsoft listed a change that affects BitLocker encryption. The full entry on this aspect of the update reads as follows:

"Changes the default setting for BitLocker when encrypting a self-encrypting hard drive. Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change."

Many SSD makers boast about their on-the-fly encryption and in theory it should work better and more efficiently using a dedicated on-device encryption processor to take this task away from your Windows PC's CPU. However, if your security isn't secure its completely pointless, a waste of time and resources, and gives you a false sense of security.

Thankfully, if you do own drive(s) with strong security - and it works as advertised - you can still toggle Bitlocker to trust the built-in security in those instances. This is just a default change for new users/setups.



HEXUS Forums :: 10 Comments

Login with Forum Account

Don't have an account? Register today!
Because Microsoft has such a stellar record when it comes to bug-free code…
azrael-
Because Microsoft has such a stellar record when it comes to bug-free code…

That doesn't exonerate the SSD manufacturers.

Because one doesn't have a stellar record doesn't excuse the issues found in others.
Fantastic straw-man argument there azrael.

It's a great shame the people tasked with implementing security have such a poor understanding with the fundamentals (such as not using a generic password for everybody).
More importantly - should we trust any closed & proprietary security platform that has no credible, comprehensive and continuous independent security auditing, regardless of manufacturer?
Tabbykatze
That doesn't exonerate the SSD manufacturers.

Because one doesn't have a stellar record doesn't excuse the issues found in others.
I quite agree with you on this. It's just with all the bungled updates, bugs and what not courtesy of Microsoft they probably shouldn't pretend to know better. I orginally intended to state “Pot, meet Kettle”. Perhaps I should have.

Dashers
Fantastic straw-man argument there azrael.

It's a great shame the people tasked with implementing security have such a poor understanding with the fundamentals (such as not using a generic password for everybody).
Not quite sure what you mean with “straw-man argument”. I'm not defending manufacturers of SSDs. I just believe Microsoft should take care of their own flaws before pointing the finger.

chinf
More importantly - should we trust any closed & proprietary security platform that has no credible, comprehensive and continuous independent security auditing, regardless of manufacturer?
Very well said, tbh.