The built-in data encryption vulnerabilities of hard drives

The built-in data encryption vulnerabilities of hard drives

Is hardware disk encryption sufficiently reliable? Is it true that in the case of the theft of an encrypted disk it is impossible to access information on the media? Let’s try to understand the question.

In September 2015, colleagues Gunnar Alendal (Norway) and Christian Kisoni (Germany) published the results of their study entitled “Do you use hardware encryption? On the (in)security of hard drives with hardware encryption”. During the course of the study the authors bought several hard drives that utilized hardware-based encryption, and on the basis of their research results they concluded that hardware encoding was generally unreliable regardless of the drive’s manufacturer. And here’s why.

In some models of drives with hardware-based encryption, data can be access without even a password (since the password protection option is disabled by default). The use of such a default preference calls into question the feasibility of hardware-based encryption: the data are encrypted, but they can be read from the disk by anyone without any difficulties.

If the password protection option is activated, the researchers found that the password is encrypted or stored in the memory of the disk controller or in one of its hidden sectors. This would be OK, but an attacker can still retrieve the password from either of these storage locations and decrypt it using a series of technically trivial steps that require only standard software search tools.

Drive controllers with hardware encryption deserve special attention. The test drives came with several types of controllers, and some of them turned out to be potentially vulnerable to hacking. The researchers were able to obtain the encrypted password from one type of controller just by placing it into firmware update mode. Another type of controller used encryption keys with 32-bit instead of the advertised 256-bit encryption (it is a trivial matter to crack a 32-bit key). In another type of controller the encryption key is stored in plain text, making it possible to access information without a password at all.

The study also published information about other hardware disk encryption vulnerabilities, but it is possible to make one obvious conclusion from the above findings: buying disks with built-in hardware encryption alone cannot guarantee you the absolute safety of your data, and you should also seek additional software protection. Such protection does exist. Due to its status as software, it is at least as good, and often much more efficient and more reliable, than hardware protection.

Software encryption does not store passwords directly on the hard drive. It allows you to encrypt only that information on the disk that requires encryption (and not simply everything), and it allows you to encrypt both physical disks and virtual ones, that is, it completely eliminates the need for a hard drive with hardware protection. Our company sells a product that provides software file protection software: the advanced professional encryption software Cryptic Disk.

You can download and install a fully functional version of Cryptic Disk absolutely free for up to 30 days. The program allows you to protect not only local user files, but also files that are in cloud storage, such as on Dropbox.

In conclusion, we can say that if the valuable information you store on your hard drive consists only of prom photos, then the built-in hardware encryption will be more than enough. But if we are talking about the safety of really valuable information, the loss of which could lead to irreparable consequences or damage, then think about to whom you should entrust your data protection: the manufacturers of hard drives or software vendors.