720-891-1663
Return to the list of client alerts
Encryption is a good thing. In fact I use it all the time. Most of us do. If you have an iPhone and it has a password, it is encrypted, for example.
But encryption is only as good as the software developers who wrote the code. (Note, there is almost no such thing as hardware encryption any more. The question is only WHERE the software lives and that, in fact, is the root of this alert).
Researchers at Radboud University have discovered that encrypted doesn’t always mean encrypted. They have found holes in the security of several popular ‘self-encrypting’ disk drives including the very popular Samsung and Crucial SSDs.
In one case the master password for the disk was blank and in another, they could bypass password validation easily.
That might be okay if the drive was software encrypted on top of flawed “so-called-hardware” encryption. But often it is not.
In the Windows world, it appears that Bitlocker asks the drive if it is encrypted and if it is, the default policy is not to encrypt it with Bitlocker (that can be and should be changed).
Matthew Green, the well known Cryptographer at Johns Hopkins (and a pretty entertaining speaker) likened the Bitlocker “flaw” (I am sure that Microsoft, up until this announcement, called it a feature) to “jumping out of a plane with an umbrella instead of a parachute”. After all, just like all of the processor flaws we have seen this year (Spectre, Meltdown and others), lets just squeeze a little more performance out of this beast. I am sure it will work just fine.
But this is a whole new level of IoT.
We know we have to patch our operating systems.
And we have to patch our devices drivers.
But how many of us patch the firmware on the controllers of the devices themselves?
In the olden days of mainframes, I remember doing that regularly. But not with PCs.
Samsung’s answer is that users should install software encryption (i.e. not trust the reason why we bought your device in the first place). Crucial has a patch in the often, but it is not fully baked yet.
The bigger problem is that since the firmware on internal disk drive controllers is proprietary, who knows how many other disk drives are pretending to encrypt your data?
Oh.
Wait.
The Chinese probably know.
In fact, maybe, they put the backdoor in there in the first place.
Hmmmm.
Trust. But Verify. Where have I heard that before.
So – Make sure you watch for patches for your hardware (not drivers but the hardware itself). We saw that earlier this year with all of the chip patches for Intel and AMD chips.
When patches become available, install them.
Configure your Bitlocker options for maximum security and not maximum convenience.
Consider security focused encrypted drives like Apricorn; they have a vested interest in being secure.
This, unfortunately, is not simple, but you can improve the odds.
Source: Techcrunch .