Bernard Parsons, CEO and Co-Founder of Becrypt:
The security and vulnerability of hardware-based disk encryption of solid-state drives (SSDs) has been forensically probed recently, as the relevance of data breaches continues to increase. Established thinking has pointed to the security offered by hardware-based encryption as being similar to, or superior than, software-based encryption methods. The current reality seems somewhat different, with some iterations of hardware models allowing for relatively easy access to encrypted data by attackers, through a variety of methods.
Although full-disk encryption is typically the solution of choice for data at rest protection, software solutions can render devices susceptible to some attacks whilst powered on, as a result of the encryption key being present in memory. However, recent findings have revealed possible flaws in hardware-based full-disk encryption, allowing attackers to completely bypass security features and access data without using passwords to recover encryption keys. As ‘data at rest’ protection is typically about protecting lost or stolen devices, attacks such as these that apply when devices are powered off, are of significantly greater concern.
Hardware-based encryption often relies on proprietary crypto schemes that are both hard to audit and difficult to implement, with mistakes often undermining security. Achieving confidence that encryption products can be relied on can be achieved in part by increased scrutiny of the architecture, crypto scheme, and implementation, allowing for security claims to be independently verified.
One approach is through comprehensive assurance schemes, such as the National Cyber Security Centre’s (NCSC) Commercial Product Assurance (CPA) scheme, which is applicable to both hardware and software-based encryption products. Both will continue to exist as they are driven by different device form-factors and evolving threat models.
Those caught out by current vulnerabilities in hardware-based products should, at the very least, look to tighten data security by disabling SSD-based encryption, and look towards a software-based alternative, until these issues can be addressed. This will assure users that the ability to circumnavigate passwords to decrypt sensitive data, is minimised.
“Self-encrypting deception: weaknesses in the encryption of solid-state drives (SSDs)” Carlo Meijer, Bernard van Gastel, University of the Netherlands, 2018.