Researchers at the Netherland’s Radboud University have uncovered serious security issues with several solid-state drives that use hardware-based encryption—vulnerabilities that would allow an attacker to access a drive’s “encrypted” contents without needing the password that decrypts it.
First, here’s a list of the affected drives:
Crucial MX100, MX200, and MX300 internal SSDs
Samsung T3 and T5 external SSDs
Samsung 840 EVO and 850 EVO internal SSDs
You can read a detailed report of researchers’ findings listing the specific vulnerabilities for each hard drive model.
The fun doesn’t end there, however. Users running one of the affected drives may think that Microsoft’s BitLocker tool, which comes standard on Windows 10 Pro, will cover the issue with its software-based encryption. BitLocker may even say that one of the SSDs on the aforementioned list is encrypted. As it turns out, that’s not true.
Instead, when BitLocker notices that the SSD offers hardware-based encryption, it defaults to using that instead of BitLocker’s software encryption. If you’re using one of the above drives, BitLocker will assume your drive is encrypted when it’s actually pretty vulnerable (if someone gets physical access to it), leaving you a lot less secure.
Both Samsung and Crucial have issued firmware updates to address these issues with its SSDs—and you should install them right now—but even Samsung suggests that users also use third-party software encryption for their data. We have some recommendations for that but, first, here’s how to check the kind of encryption your SSD uses:
How to detect if your drive is using hardware or software encryption on Windows
First, open an elevated command prompt. You can do that by typing “cmd” into the search box on your Windows taskbar, but don’t press enter yet. Wait for “command prompt” to appear in the search results, then right-click it and select “Run as Administrator.” A command prompt window should open titled “Administrator: Command Prompt.”
In the elevated command prompt window, type manage-bde.exe -status and hit Enter.
You will be greeted with a list of your system’s drives and the type of encryption they use (if any). If you are using any of the affected drives outlined above and it’s listed as using software encryption, then you’re clear of the potential security risks. If any of them are noted as using hardware encryption, however, then you’re open to vulnerabilities. In that case, we need to change the encryption method to one that actually works.
How to force BitLocker’s Software encryption
Microsoft says that while BitLocker relies on a drive’s hardware encryption by default, it is possible to force a drive to use BitLocker’s software encryption instead. You won’t have to reformat your drives, nor reinstall any applications, in order to change the encryption method (despite contradictory information in the Radboud researchers’ original report).
First, you’ll need to change the Group Policy settings for BitLocker. To open the Group Policy editor, type “Group Policy” in the taskbar search box, then click the Group Policy editor. In the editor, go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
Under Fixed Data drives, double-click on “Configure use of hardware-based encryption for fixed data drives,” and then click “Edit.” Set the option to “Disabled,” then click Apply. Repeat these steps for the similarly named options in the Operating System Drives and Removable Data Drives folders.
Next, we have to decrypt and re-encrypt the drive by disabling and re-enabling BitLocker. In the Windows Explorer, open “This PC,” right-click the drive, and click “Manage BitLocker.” A Control Panel window will pop up listing your system’s drives, along with the option to turn BitLocker on or off.
The decryption process may take several hours to complete depending on how much data is stored on the drive. Once you re-enable BitLocker, the drive will now be encrypted using BitLocker’s software encryption. As with the previous step, this can take a while depending on the drive’s size, but once it’s done, your drive will be fully—and properly—protected.
Use Third-Party Software
If you don’t trust BitLocker, don’t have it, or aren’t a Windows user but still looking for a way to encrypt your compromised Samsung or Crucial hard drive, the best option is to use third-party software encryption.
There are numerous third-party alternatives available. Radboud’s researchers recommend that consumers use VeraCrypt, a free, open-source encryption software that has been popular for years. There are also excellent paid products, such as Folder Lock ($40), and AxCrypt (free, $36 for premium, or $90 for business), which often feature customer support, Mac support, and special features or bonus security add-ons that are worth the price.