it.ucsf.edu

Security Update:Researchers have identified flaws in the hardware-based encryption of Solid State Drives (SSDs) made by Samsung and Crucial

Status Type

Security Update

Date and Time

Thursday, November 8, 2018 - 15:50

Reason

Security update

Impact

Samsung and Crucial SSDs users

WHAT HAPPENED

Researchers at Radboud University in the Netherlands have identified several flaws in the hardware-based encryption of Solid State Drives (SSDs) made by Samsung and Crucial. These flaws can allow access to encrypted data without authorization. The default behavior of Microsoft’s BitLocker encryption does NOT protect against this vulnerability. Computers with the affected drives - using SSD hardware-based encryption or BitLocker - will need to take action to protect their data.

 

For a description of the vulnerabilities and affected systems, visit:

 

AFFECTED SYSTEMS

Please note that this is not an all-inclusive list of affected systems. Contact your vendor(s) to determine if this vulnerability affects your system(s) and to obtain updates for your products or recommendations for mitigating this vulnerability.

Affected models include, but are not limited to:

  • Crucial MX100, MX200, and MX300 internal solid state disks
  • Samsung T1, T3, and T5 USB external solid state disks
  • Samsung 840 EVO and 850 EVO internal solid state disks
  • Other drive models with hardware-based encryption from these or other manufacturers may also be affected, but this has not been yet been demonstrated or announced.

Users who have an affected drive model but are using DDPE from UCSF to encrypt that drive are NOT susceptible to this vulnerability.

 

 

WHAT’S THE PROBLEM?

An attacker with physical access to an affected encrypted drive could gain unauthorized and complete access to encrypted data. Microsoft BitLocker encryption provides no additional protection to encrypted data on affected drives when using the default settings in Windows 8.1, 10, Server 2012, Server 2016, or Server 2019.

 

 

WHAT DO I NEED TO DO?

 

1.Determine if Your Computer is Affected

Users who have an affected drive model but are using DDPE from UCSF are NOT susceptible to this vulnerability.

If you are using BitLocker encryption on a Windows computer, you should apply firmware updates for your drive as available and also determine if BitLocker is using hardware-based or software-based encryption.

To determine whether BitLocker is using hardware-based encryption or software-based encryption:

  1. Run "manage-bde.exe -status" in an administrator command prompt.
  2. If the "Encryption Method" starts with "Hardware Encryption", then BitLocker is using the drive’s hardware-based encryption. You will need to take additional action to secure your data. These steps are detailed below.
  3. If the "Encryption Method" states something other than "Hardware Encryption", such as "AES-128" or "XTS AES-256 with Diffuser", then BitLocker is using software-based encryption and you do not need to take additional action.
 

2.Update Your Drive Firmware

UCSF recommends making a full backup of all data on a drive before updating firmware.

Crucial already released firmware updates for MX100 and MX200 drives in May 2018. A firmware update for MX300 drives is expected to be available after November 13, 2018 to address this vulnerability. Contact Crucial support for more information at http://www.crucial.com/usa/en/support-ssd

Samsung has recommended that users with external SSDs (such as the T1, T3, and T5 products) should update the firmware on these products. For more details, see: https://www.samsung.com/semiconductor/minisite/ssd/support/consumer-notice/ . You may also be able to use software-based encryption products on these drives to encrypt data.
 

Samsung has not indicated that they will release a firmware update for 840 EVO and 850 EVO internal SSDs; users of these drives will need to switch to a software-based encryption method as detailed below.

 

3.Switch to Software-Based Encryption

If you are using hardware-based disk encryption on a non-Windows computer, apply firmware updates as available and/or switch to software-based encryption. As a reminder, any device used for UCSF work or study must be encrypted to comply with the UCSF Minimum Security Standard (http://tiny.ucsf.edu/mss).

Samsung has recommended that users with internal SSDs install and use software-based encryption to encrypt data on their drives.

UCSF recommends that users with internal Samsung SSDs using either hardware-based encryption and/or BitLocker should:

  1. Make a full backup of all data on the drive
  2. Decrypt BitLocker and any hardware-based encryption on the drive
  3. If you plan on using BitLocker to encrypt again, you must disable hardware-based encryption for BitLocker. This step requires editing local Group Policy on Windows and should not be done lightly. You do not need to perform this step if you use a software-based encryption product such as DDPE instead of BitLocker.


Edit local Group Policy to disable hardware-based encryption for BitLocker as described at:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#bkmk-hdefxd

WARNING: Serious problems may occur if you edit Group Policy settings incorrectly or edit Group Policy settings other than the one specified. These problems may require that you reinstall Windows and/or may carry serious and non-obvious negative implications for the usability, confidentiality, availability, and integrity of your computer and data. There is no guarantee that these problems can be diagnosed or solved in a timely manner.

Edit Group Policy at your own risk.
UCSF IT Field Services and the UCSF IT Service Desk may not be able to assist you with editing Group Policy settings on BYOD or unsupported computers.

 

  1. Re-encrypt the drive with BitLocker OR

Re-encrypt the system using a software-based encryption product such as DDPE.

 

DDPE is available for free to the UCSF community at https://software.ucsf.edu and support for it is available 24/7 via the IT Service Desk at http://help.ucsf.edu or at 415-514-4100.
Other software-based encryption products can also be used to secure data.

 

RELATED LINKS