Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Self-encrypting drives are hardly any better than software-based encryption

Lucian Constantin | Nov. 13, 2015
If a laptop using a self-encrypted drive is stolen or lost while in sleep mode, the security of its data can't be guaranteed.

The laptop is then awakened and the management software unlocks the drive. The attacker can then unplug the SATA data cable only from the laptop and connect it to a different computer or laptop to access the data on the drive.

The researchers tested this attack successfully against all 12 Opal and eDrive configurations.

In order to mitigate it users should always power off their laptops or put them in a hibernation state when they leave them unattended. IT administrators can also disable the sleep mode through policies.

In the future, laptop manufacturers could add mechanisms to detect if the drive gets unplugged while the computer is in sleep mode and trigger a hard reset, the researchers said. SED manufacturers could also detect if the SATA interface is disconnected and lock the drive automatically.

The second attack does not involve removing the drive from the laptop and instead forces the laptop to perform a soft reset by triggering a critical error (BSOD) in Windows. A soft reset does not cycle the power to the self-encrypting drive so it keeps it in an unlocked state.

If the laptop is in sleep mode, it can first be woken up to unlock the drive. The attacker can then connect a special circuit board called a Facedancer to the laptop via USB. This board can emulate various USB devices and can also be used to trigger a BSOD in Windows.

When the laptop reboots, as a result of the critical error, the attacker can use the special function key to access the boot menu and boot from an alternative source, like a USB thumb drive with a live Linux installation. He can then use Linux to access the data on the drive, which is still unlocked.

This attack worked on eight Opal configurations, but not on Lenovo laptops with SEDs operating in eDrive mode.

To mitigate this type of attack, IT administrators can disable Windows' option to automatically restart on BSOD and can also lock down BIOS/UEFI so that attackers can't boot from external media.

The third attack is called a hot unplug attack and is more difficult to pull off because it requires exposing the drive's SATA pins while still running, attaching another power source to it, removing the drive while maintaining the alternative power and connecting it to a different computer.

The researchers disclosed their findings to the Trusted Computing Group and the U.S. Computer Emergency Readiness Team (US-CERT). They've also been in contact with Lenovo which is looking into potential mitigations.

The takeaway is that SEDs are insecure by default when the laptops they're installed in are powered on or in sleep mode, but hardened deployments can mitigate the risks, the researchers said.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.