Self-encrypting drives are hardly any better than software-based encryption

If a laptop using a self-encrypted drive is stolen or lost while in sleep mode, the security of its data can't be guaranteed

Companies relying on self-encrypting drives (SEDs) to secure data stored on their employees' laptops should be aware that this technology is not immune to attack and should carefully consider whether they want to use this rather than software-based approaches.

Daniel Boteanu and Kevvie Fowler from KPMG Canada demonstrated three data recovery methods against laptops using SEDs at the Black Hat Europe security conference in Amsterdam Thursday.

Self-encrypting drives perform the data encryption and decryption operations on a dedicated crypto processor that is part of the drive controller. That gives them several, mainly performance-related, benefits compared to software-based encryption products which rely on the CPU.

The main security benefit is that the encryption key is not stored in the OS memory, but on the disk itself, which makes it less exposed to theft. However, some attacks that work against software-based encryption products also affect SEDs, including evil maid attacks and those that bypass Windows authentication, the researchers said.

Boteanu and Fowler focused their research on laptops with SEDs that are compatible with the Trusted Computing Group (TCG) Storage Security Subsystem Class standard, also known as Opal, and Microsoft's Encrypted Drive (eDrive) standard, which is based on Opal.

These drives are the most attractive for enterprise deployments because they can be easily managed. SEDs operating in eDrive mode for example are managed through BitLocker, Microsoft's full disk encryption technology for Windows.

The researchers tested combinations of Lenovo ThinkPad T440s, Lenovo ThinkPad W541, Dell Latitude E6410 and Dell Latitude E6430 laptops with Samsung 850 Pro and PM851 solid-state drives or Seagate ST500LT015 and ST500LT025 hard disk drives, operating in either Opal or eDrive modes.

The attacks they demonstrated show that the Opal and eDrive standards can't guarantee the security of data in situations where a laptop is in sleep mode and not turned off completely.

Once a SED is unlocked, it remains in that state until the power to it is cycled or a deauthentication command is sent. When the laptop is put in sleep mode the drive state is locked, but when it resumes from sleep, the pre-boot management software, which is already loaded in memory, unlocks the drive. This happens even if Windows itself remains locked and requires the user's password to log in.

The researchers devised three attacks to take advantage of this situation. The first is called a hot plug attack and involves removing the drive from the laptop while in sleep mode and connecting it back using SATA data and power extension cables.

The laptop is then awakened and the management software unlocks the drive. The attacker can then unplug the SATA data cable only from the laptop and connect it to a different computer or laptop to access the data on the drive.

The researchers tested this attack successfully against all 12 Opal and eDrive configurations.

In order to mitigate it users should always power off their laptops or put them in a hibernation state when they leave them unattended. IT administrators can also disable the sleep mode through policies.

In the future, laptop manufacturers could add mechanisms to detect if the drive gets unplugged while the computer is in sleep mode and trigger a hard reset, the researchers said. SED manufacturers could also detect if the SATA interface is disconnected and lock the drive automatically.

The second attack does not involve removing the drive from the laptop and instead forces the laptop to perform a soft reset by triggering a critical error (BSOD) in Windows. A soft reset does not cycle the power to the self-encrypting drive so it keeps it in an unlocked state.

If the laptop is in sleep mode, it can first be woken up to unlock the drive. The attacker can then connect a special circuit board called a Facedancer to the laptop via USB. This board can emulate various USB devices and can also be used to trigger a BSOD in Windows.

When the laptop reboots, as a result of the critical error, the attacker can use the special function key to access the boot menu and boot from an alternative source, like a USB thumb drive with a live Linux installation. He can then use Linux to access the data on the drive, which is still unlocked.

This attack worked on eight Opal configurations, but not on Lenovo laptops with SEDs operating in eDrive mode.

To mitigate this type of attack, IT administrators can disable Windows' option to automatically restart on BSOD and can also lock down BIOS/UEFI so that attackers can't boot from external media.

The third attack is called a hot unplug attack and is more difficult to pull off because it requires exposing the drive's SATA pins while still running, attaching another power source to it, removing the drive while maintaining the alternative power and connecting it to a different computer.

The researchers disclosed their findings to the Trusted Computing Group and the U.S. Computer Emergency Readiness Team (US-CERT). They've also been in contact with Lenovo which is looking into potential mitigations.

The takeaway is that SEDs are insecure by default when the laptops they're installed in are powered on or in sleep mode, but hardened deployments can mitigate the risks, the researchers said.

The bad news is that it's almost impossible to detect if these attacks have occurred after the fact, which means that some companies might want to reevaluate the potential impact of some of their laptop loss or theft incidents if they relied on this technology to protect data.

Join the CSO newsletter!

Error: Please check your email address.

Tags BLACK HAT EUROPE

More about ClassDellKPMGLenovoLinuxMicrosoftSamsungSeagate

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place