When a password of “” can open up your encrypted drive
Many companies now use full disk encryption for their computers, especially for laptops on the move. So while the usage of TrueCrypt has faded, especially when its open source developers gave up maintaining the code, it has been up to Microsoft BitLocker to take over and become the tool of choice for encrypting disk drives.
But is it actually robust? Well, not if you read this paper [link]:
I cannot even start to explain how bad this discovery is for the industry, and a complete embarrassment for the vendors involved. The lack of integration between vendors seems almost negligent in the extreme.
The paper outlines that some SSD drives (including Samsung and Crucial) do not actually encrypt the data properly, and that they can be easily by-passed without a system password.
The manufacturers of the drives have been informed through ethical disclosure (in April 2018), and users are being asked to rely on software encryption rather than the embedded hardware encryption. A particular risk is Windows BitLocker — which has a virtual monopoly in the market place for complete disk encryption — as it often relies on the hardware encryption used in the SSD drives.
The affected disks include:
- Crucial (Micron) MX100, MX200 and MX300 internal hard disks.
- Samsung T3 and T5 USB external disks.
- Samsung 840 EVO and 850 EVO internal hard disks.
The research team did not run tests across all the available SSD disks, but found that the following disks could be compromised with a range of attacks:
The researchers investigated the MASTER PASSWORD CAPABILITY bit
in the firmware and which can be set so that a factory-set Master password can unlock the drive. For the Samsung MX300 SSD it was found there was no need to set this bit as it could be reset by decrypting the RDS key. The master password thus protects the main encryption key used for the disk. In the case of the MX300 drive this is “” (an empty string!!!!!!!!!!!!!). Yes … you read that correctly … the password which releases the encryption key for the whole disk is an empty string (32 NULL characters — 32 0x00 byte values):
Within disk encryption, a system can either use software encryption (and where the data is encrypted before it is presented to the disk) or use hardware encryption (and where the operating system relies on the disk hardware to encrypt and decrypt). The setting for software or hardware encryption is defined in a Group Policy [here]. If the disk supports hardware encryption it will use that option. For the disks effected, a complete reinstall it required, and where the group policy is changed to software encryption. Otherwise a software encryption package named VeraCrypt is recommended as an alternative to BitLocker.
If you need to have full disk encryption, and you have an SSD drive, you just cannot trust hardware encryption. At least with software encryption the data is encrypted before it gets anywhere near your disk. A master password of “” (an empty string — or 32 NULL characters) is shocking, and negligence of the highest kind.
The researchers recommend using an open sourced (and auditable) software encryption method such as VeraCrypt, along with hardware encryption. VeraCrypt is based on the well-loved TrueCrypt open-sourced software distribution: