How to Switch to Software Encryption on a Vulnerable Solid State Drive

Posted on by

Researchers at Radbaud University in the Netherlands have discovered serious security issues with multiple solid state drives using hardware encryption, vulnerabilities that would allow an attacker to gain access to the drive’s “encrypted” contents without requiring a password to decrypt it.

First, here is a list of the affected drives:

  • Crucial MX100, MX200, and MX300 internal SSDs
  • Samsung T3 and T5 External Solid State Drives
  • Internal solid state drives Samsung 840 EVO and 850 EVO

You can read the detailed research report that lists specific vulnerabilities for each hard drive model .

However, the fun doesn’t end there. Users using one of the affected drives might think that the Microsoft BitLocker tool that comes standard with Windows 10 Pro will fix the issue with software encryption. BitLocker might even say that one of the SSDs in the above list is encrypted. It turns out that this is not true.

Instead, when BitLocker notices that an SSD is offering hardware encryption, it defaults to using that instead of BitLocker software encryption. If you are using one of the drives listed above, BitLocker will assume that your drive is encrypted, when in fact it is quite vulnerable (if someone gains physical access to it), which will make you much less secure.

Both Samsung and Crucial have released firmware updates to address these issues with their SSDs – and you should install them now – but even Samsung is suggesting that users also use third-party software to encrypt their data. We have a few guidelines for doing this, but first, here’s how to check the type of encryption your SSD is using:

How to tell if your drive is using hardware or software encryption on Windows

First open an elevated command prompt. You can do this by typing “cmd” in the search box on the Windows taskbar, but don’t hit enter yet. Wait until “Command Prompt” appears in the search results, then right-click it and select “Run as administrator”. A command prompt window titled “Administrator: Command Prompt” should open.

In an elevated Command Prompt window, type manage-bde.exe -status and press Enter.

You will see a list of the drives on your system and the type of encryption they use (if any). If you are using any of the affected drives described above and it is listed as using software encryption, then you are not exposed to a potential security risk. However, if any of them use hardware encryption, then you are vulnerable. In this case, we need to change the encryption method to one that actually works.

How to enforce BitLocker software encryption

Microsoft says that while BitLocker relies on hardware drive encryption by default, you can force the drive to use software-based BitLocker encryption instead. You don’t have to reformat drives or reinstall any applications to change the encryption method (despite conflicting information in the original report by Radboud researchers).

First, you need to change the Group Policy settings for BitLocker. To open the Group Policy Editor, type “Group Policy” in the search box on the taskbar, then click Group Policy Editor. In the editor, select Computer Configuration> Administrative Templates> Windows Components> BitLocker Drive Encryption.

Under Fixed Data Drives, double-click Configure to use hardware encryption for fixed data drives, and then click Change. Set the option to Disabled, then click Apply. Repeat these steps for the parameters with the same names in the “Operating system drives” and “Removable data drives” folders.

We then have to decrypt and re-encrypt the drive by disabling and re-enabling BitLocker. In Windows Explorer, open This PC, right-click the drive and select Manage BitLocker. A Control Panel pop-up window appears listing the drives on your system and the option to turn BitLocker on or off.

The decryption process can take several hours depending on how much data is stored on the disk. After re-enabling BitLocker, the drive will now be encrypted using BitLocker software encryption. As in the previous step, this may take a while depending on the size of the disk, but once this is done, your disk is completely – and properly – protected.

Use third party software

If you don’t trust BitLocker, don’t have it, or aren’t a Windows user, but are still looking for a way to encrypt your compromised Samsung or Crucial hard drive, your best bet is to use third-party encryption software.

There are many third party alternatives available. Radboud researchers recommend that consumers use VeraCrypt , a free and open source encryption software that has been popular for years. There are also great paid products like Folder Lock ($ 40) and AxCrypt (free, $ 36 for premium or $ 90 for business), which often include customer support, Mac support, and special features or additional security add-ons. that are worth their price.

More…

0
Uncategorized

Leave a Reply