Microsoft told how to solve the problem of data security on SSD with "leaky" hardware encryption
A few days ago , an article was published on Habré about a study by scientists from Radboud University who found a vulnerability in the data encryption system with some SSD models with hardware protection. So, using special methods, you can get access to protected data, and the password is not necessary to know at all.
For Windows, the problem turned out to be the most urgent, since the Windows built-in encryption Bitlocker is disabled if the OS detects the SSD as having hardware protection. In fact, users who work with SSdated Сcial and Samsung and have not updated the firmware of their drives keep their data open to attackers. Recently, Microsoft has published information on how to protect data on SSDs with hardware protection in the Windows environment.
The company published an article that tells that 1394 and Thunderbolt systems have the Direct Memory Access (DMA) feature activated. It must be turned off separately, by default it is on. If the device protected by BlitLocker is unlocked, the encryption key is stored in the computer's memory. If desired, attackers can connect a 1394 or Thubderbolt device to a vulnerable PC to search for and steal an encryption key.
Microsoft describes several ways to protect against this type of attack. For example, use the Kernel DMA Protection feature available in Windows 10 1803. For users who do not have this feature, Microsoft offers other methods: “For Windows 10 1803 and later versions, if the system supports the Kernel DMA Protection feature, we recommend using this opportunity to reduce the likelihood of a successful attack with Thunderbolt DMA. "
This feature locks connected Thunderbolt 3 devices and does not give them access to the Direct Memory Access feature until a certain set of procedures has been performed.
When the Thunderbolt 3 device is connected to a system with the Kernel DMA Protection feature activated, Windows will check the system disks for support for DMA re-mapping. This is a function that allows a specific area of isolated memory to work with the device used to work with the operating system. This allows you to avoid the invasion of DMA-gadgets in any other area of memory, cut in advance agreed.
If the device supports memory isolation, Windows will immediately instruct the device to run DMA in isolated memory locations. For devices whose drivers do not support memory isolation, access will be closed until the user logs in or unlocks the screen.
For the same gadgets that do not have support for DMA REMAP at all, access to the system will be closed until the user logs in or unlocks the display. Once this is done, Windows will launch a specialized driver and allow the gadget to activate DMA access.
Kernel DMA Protection is currently available for Windows 10 Build 1803, although new firmware for UEFI is needed. Windows users can find out about this protection method here. If the computer does not support Kernel DMA Protection or it does not have the most recent version of Windows installed, Microsoft recommends that you deactivate the SBP-2 1394 driver, and also disable thunderbolt controllers in Windows
It should be understood that if you do not work with Thunderbolt or 1394 devices, then turning off the controllers will have absolutely no effect. On the other hand, those users who have the above-mentioned types of devices can, using the company's advice, close the possibility of such an attack.
Microsoft also claims that if the hardware does not comply with the Windows Engineering Guidance , then it most likely turns off the DMA and 1943 functions from Thunderolt. This means that pirated systems begin to work immediately when connected to a PC.
“If your hardware is different from the recommendations of the Windows Engineering Guidance, after turning on the PC, Windows can activate DMA on such a device. And this makes the system vulnerable to compromise, "- said in a statement by representatives of Microsoft. In order to disable the corresponding controllers, you need the exact device ID (this is a Plug and Play system).