Encrypting pour files is one of the most widely used methods to protect them, especially on smartphones and laptops that can easily get stolen. For example, Windows has a tool called BitLocker that lets us do precisely that. It lets us encrypt the entire drive so no one has access to our files without the password. However, according to a new study, this encryption method might not be useful at all.
Yesterday night the guys at HardZone were telling us how several researchers managed to bypass the hardware-based encryption of several SSDs that were using BitLocker, being able to easily steal the files stored on the storage units without needing a password.
Security researchers were able to show this encryption issue by using Crucial and Samsung’s SSDs, although they believe many other manufacturers might be affected by this encryption flaw. Whereas Samsung’s SSD was almost protected against the issue, Crucial’s was a mess because the master password that protects the encryption password was just an empty string, it does not exist, so anyone can bypass it.
The problem is not BitLocker but the SSDs
The encryption issue is not due to BitLocker but the SSDs themselves. Although BitLocker uses software-based encryption to encrypt an HDD, Microsoft’s tool tries to use hardware-based encryption when we try to encrypt an SSD because it is faster, simpler and supposedly safer.
If we want to avoid this problem, the only thing to do is to set up BitLocker using the Group Policy so it does not rely on the SSD. This way SSDs will use software-based encryption like HHDs to encrypt files.
Hardware has become our worst weakness
The SSD’s encryption flaw is not our only security problem. Since the beginning of the year we have been seeing how two major vulnerabilities, Meltdown and Spectre, have tried to jeopardize users’ security. These two vulnerabilities attack us directly from the processor. Yesterday we were also telling you how Intel’s Hyper-Threading technology is vulnerable and lets sensible files like encryption passwords get stolen, and there is nothing we can do about it.
The time for mistrusting hardware-based encryption has come. If we really want to protect our files, the best thing to do is to have additional encryption systems like VeraCrypt (in the case of SSDs, for example). This way we will make sure our PC has the latest security patches installed.
This will not make the SSD safe, but it will make it harder to exploit the flaw.