Bitlocker and Solid State Drives

To keep devices secure, many companies rely on a product from Microsoft called Bitlocker.   Bitlocker is an encryption platform that helps keep your computer safe from offline attacks.   In the event a laptop or desktop is lost or stolen, the hard drive on the device is encrypted and is unreadable unless you have the password required to decrypt the device.

Recently a serious security risk has been discovered when Bitlocker is used with solid state drives (SSD).   This security flaw allows drives that are not properly encrypted to be hacked and user data retrieved.  This problem was discovered by Carlo Meijer and Bernard van Gastel of Radbound University.

The issues they found stem from improper hardware encryption caused by the actual SSD drives themselves and not directly related to the Bitlocker application.   When Bitlocker is first installed, it queries the SSD drive to identify if it has built-in hardware encryption capabilities.   If the drive utilizes hardware encryption, the software will automatically accept it as the default configuration and does not attempt to install software encryption or prompt the user to select a preferred encryption method.

When analyzed, it was determined that the hardware encryption of many SSD manufacturers have major flaws.  SSD hardware vendors have not been diligent in the methods they use to design, plan and implement hardware encryption in their devices.  In one test case, the encryption method used by one brand of SSD utilized a blank master password.  All someone would need to do to decrypt the drive was run the decryption program and when prompted for the security key, press enter.  In other cases, the researchers were able to bypass the security checks all together effectively making the encryption useless.  These flaws were found in most major SSD brands such as Samsung, Crucial, SanDisk and others.  The flaws ended up affecting most product lines as the hardware encryption techniques were reused across multiple models of SSDs – which makes breaking into them a fairly straight forward guessing game.

How could this flaw affect you and your organization?

Companies have grown accustomed to believing there is minimal risk when PCs/laptops are lost or stolen since the hard drives are encrypted and company data cannot be retrieved.  If your organization has users who save PHI, PII, PCI or other critical, proprietary customer data on their local PCs or laptops you could be at significant risk of data breach and fines.  Whether a device was lost or stolen last year, this week or next month, you may be at risk.

Microsoft has released a security adversary with steps you can follow to determine if you are vulnerable.  At this point, there are no known security issues with the software encryption Microsoft Bitlocker uses.  It is recommended that all organizations put plans in place to identify if their PC/laptops are utilizing hardware encryption and reconfigure for software encryption immediately.