Daniel Boteanu demonstrating the hot plug attack against self-encrypting hard drives at Black Hat Europe 2015 in Amsterdam on Nov. 12, 2015. Credit: Lucian Constantin
Companies relying on self-encrypting drives (SEDs) to secure data stored on their employees' laptops should be aware that this technology is not immune to attack and should carefully consider whether they want to use this rather than software-based approaches.
Daniel Boteanu and Kevvie Fowler from KPMG Canada demonstrated three data recovery methods against laptops using SEDs at the Black Hat Europe security conference in Amsterdam Thursday.
Self-encrypting drives perform the data encryption and decryption operations on a dedicated crypto processor that is part of the drive controller. That gives them several, mainly performance-related, benefits compared to software-based encryption products which rely on the CPU.
The main security benefit is that the encryption key is not stored in the OS memory, but on the disk itself, which makes it less exposed to theft. However, some attacks that work against software-based encryption products also affect SEDs, including evil maid attacks and those that bypass Windows authentication, the researchers said.
Boteanu and Fowler focused their research on laptops with SEDs that are compatible with the Trusted Computing Group (TCG) Storage Security Subsystem Class standard, also known as Opal, and Microsoft's Encrypted Drive (eDrive) standard, which is based on Opal.
These drives are the most attractive for enterprise deployments because they can be easily managed. SEDs operating in eDrive mode for example are managed through BitLocker, Microsoft's full disk encryption technology for Windows.
The researchers tested combinations of Lenovo ThinkPad T440s, Lenovo ThinkPad W541, Dell Latitude E6410 and Dell Latitude E6430 laptops with Samsung 850 Pro and PM851 solid-state drives or Seagate ST500LT015 and ST500LT025 hard disk drives, operating in either Opal or eDrive modes.
The attacks they demonstrated show that the Opal and eDrive standards can't guarantee the security of data in situations where a laptop is in sleep mode and not turned off completely.
Once a SED is unlocked, it remains in that state until the power to it is cycled or a deauthentication command is sent. When the laptop is put in sleep mode the drive state is locked, but when it resumes from sleep, the pre-boot management software, which is already loaded in memory, unlocks the drive. This happens even if Windows itself remains locked and requires the user's password to log in.
The researchers devised three attacks to take advantage of this situation. The first is called a hot plug attack and involves removing the drive from the laptop while in sleep mode and connecting it back using SATA data and power extension cables.
Sign up for CIO Asia eNewsletters.