Microsoft has issued a security advisory regarding a new vulnerability that affects hardware-based encryption on SSDs. The vulnerability was first discovered by Dutch security researchers Carlo Meijer and Bernard von Gastel from Radboud University who published a paper titled “weaknesses in the encryption of solid state drives”.
The vulnerability allows hackers to gain access to the drive and transfer data without using passwords. The silver lining here is that the drive needs to be hardwired for the vulnerability to work so maybe don’t leave your device unattended. Meanwhile, Microsoft has shared a step-by-step process for system admins to switch from hardware-based encryption to software-based encryption. The vulnerability affects almost all the major SSDs manufacturers and includes Crucial MX100, MX200 and MX3000, Samsung T3 and T5, and Samsung 840 Evo and 850 Evo drives.
System admins can check if they are using software-based encryption using the following process.
- Open an elevated command prompt, e.g. by opening the Start menu, typing cmd.exe, right-clicking on the result, and selecting the “run as administrator” option.
- Confirm the UAC prompt that is displayed.
- Type manage-bde.exe -status.
- Check for “Hardware Encryption” under Encryption Method.
The drive is using Software Encryption if there’s no reference of hardware encryption in the output.
System admins can also switch to software encryption using the following process.
- Open the Start menu.
- Type gpedit.msc
- Go to Computer Configuration> Administrative Templates > Windows Components > Bitlocker Drive Encryption.
- For the system drive, open Operating System Drives and double-click on Configure use of hardware-based encryption for operating system drives.
- For fixed date drives, open Fixed Data Drives and double-click on Configure use of hardware-based encryption for Fixed Data Drives.
- For removable drives, open Removable Data Drives and double-click on Configure use of hardware-based encryption for Removable Data Drives,
- Set the required policies to Disabled. A value of disabled forces BitLocker to use software-encryption for all drives even those that support hardware encryption.
The setting applies to new drives that you connect to the computer. BitLocker won’t apply the new encryption method to drives that are already encrypted. Do note that you will need to decrypt the drive and re-encrypt it to enable software encryption.
The good thing is the issue only affects SSDs and not HDDs but since we have seen an increase in the adaption of SSDs in the recent years, it might be a good idea to take a look at the encryption method used on your SSDs to prevent potential data theft. If not, the basic thing you can do is don’t leave your laptop unattended.