- Research has shown that some SSDs have flawed hardware encryption
- BitLocker will no longer rely on SSDs to implement their own encryption
- Existing BitLocker volumes are not affected and will not be changed
According to release notes Microsoft has published for the incremental KB4516071 update for Windows 10, the company will no longer use the hardware encryption capabilities built into some SSDs when the BitLocker security framework is enabled. Instead, Windows will apply its own software encryption. The change has been attributed by security experts to reports that major SSD manufacturers have not been taking adequate security measures with their implementations of encryption, resulting in potentially easy ways to bypass the security protections that users might take for granted. Microsoft is effectively taking control of the process, rather than trusting SSD manufacturers. The change will not affect existing BitLocker volumes.
As pointed out by the popular Twitter account SwiftOnSecurity, the change comes almost a year after a research report published by Radboud University in the Netherlands revealed that some implementations of hardware encryption on an SSD can be defeated by simply using a manufacturer’s master password, or by intercepting the DEK (Disk Encryption Key) which itself is not cryptographically encoded. These processes can be used by an attacker to defeat an SSD’s own security without needing to know the user’s own encryption key.
The research report identified several popular consumer SSD models sold by Crucial and Samsung. The findings applied to internal as well as external SSDs, and the researchers stated that many more drives might be affected. Both companies have since released security patches that are said to address this issue.