Microsoft released new security advisory ADV180028, Guidance for configuring BitLocker to enforce software encryption on November 6 2018, as response to the research paper Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs) by Carlo Meijer and Bernard von Gastel from Radboud University after they discovered vulnerability in SSDs that support hardware encryption enabled them to retrieve data from encrypted drive without knowledge of the password used to encrypt the data on it.
The vulnerability affects SSDs that support hardware encryption by local access to the SSDs and reverse engineered the firmware of it to access the data.
We analysed the full-disk encryption implementation of several SEDs from different vendors through reverse engineering of their firmware. Combined, these vendors cover roughly half of the SSDs sold today. We found that critical security vulnerabilities in the drives studied exist. It is in many cases possible to recover the contents of the drive without knowledge of any password or secret key, thereby bypassing the encryption entirely.
The security researchers tested and confirmed that the following Solid State Drives that support hardware encryption feature were affected:
– Crucial (Micron) MX100, MX200, MX300 internal hard disks
– Samsung T3 and T5 portable (external) disks
– Samsung 840 EVO and 850 EVO internal hard disks (when ATA security in High mode is used)
It seems likely that additional drives are vulnerable as well. Crucial MX300 includes an empty master password by default which allow access to the encryption key that encrypts your files.
The encrypted SSD has a master password that’s set to “”. But don’t worry, customers, you can turn it off! Everything will be fine. pic.twitter.com/hSlPCMyHsi
— Matthew Green (@matthew_d_green) November 5, 2018
Samsung has posted Consumer Notice regarding Samsung SSDs recommended to update device’s firmware with patch for portable SSDs, and installing encryption software for non-portable SSDs.
Affected Microsoft products including Windows 10, 8.1, 2012, 2012 R2, 2016 and 2019. BitLocker on Windows 7 does not affected by this vulnerability due to not supported offloading encryption to encrypted hard drives.
Although BitLocker supports software and hardware encryption but it will uses hardware encryption by default if supported by the drive. Microsoft suggested to enforce software encryption on SSDs using group policy settings.
Verify BitLocker Encryption Method
Step 1: Open cmd with run as administrator option.
Step 2: Type
Step 3: Check for Hardware Encryption under Encryption Method.
Step 4: If you don’t find hardware encryption referenced in the output this mean SSD uses software encryption or there is no BitLocker encryption.
Switch to BitLocker Software Encryption via BitLocker Group Policy settings
Step 1: Open Start menu.
Step 2: Type
Step 3: Go to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
For the system drive, open Operating System Drives and double click on Configure use of hardware-based encryption for operating system drives.
For fixed date drives, open Fixed Data Drives and double click on Configure use of hardware-based encryption for Fixed Data Drives.
For removable drives, open Removable Data Drives and double click on Configure use of hardware-based encryption for Removable Data Drives.
Step 4: Set the required policies to Disabled. A value of disabled forces BitLocker to use software-encryption for all drives even those that support hardware encryption. The setting applies to new drives that you connect to the computer.
Turn off BitLocker on existing drive
BitLocker won’t apply the new encryption method to drives that are already encrypted.
Note: NOT need to reformat the drive or reinstall any applications after changing BitLocker settings.
Step 1: Open Explorer on the computer.
Step 2: Right click on the drive and select Manage BitLocker from the context menu.
Step 3: Select Turn off BitLocker to decrypt the drive.
Step 4: Enable BitLocker encryption again on the drive.
Radboud University researchers discover security flaws in widely used data storage devices
draft of 5-11-2018: Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)
Advisory by the National Cyber Security Centre can be found at their website (NCSC, in Dutch)
Group Policy nodig voor Microsoft Windows BitLocker