Web Analytics
  • Secure Channels

Doh! What My Encrypted Drive Can Be Unlocked By Anyone?

When a password of “” can open up your encrypted drive

Prof Bill Buchanan OBE

Nov 5, 2018.

Many companies now use full disk encryption for their computers, especially for laptops on the move. So while the usage of TrueCrypt has faded, especially when its open source developers gave up maintaining the code, it has been up to Microsoft BitLocker to take over and become the tool of choice for encrypting disk drives.

But is it actually robust? Well, not if you read this paper [link]:

I cannot even start to explain how bad this discovery is for the industry, and a complete embarrassment for the vendors involved. The lack of integration between vendors seems almost negligent in the extreme.

The paper outlines that some SSD drives (including Samsung and Crucial) do not actually encrypt the data properly, and that they can be easily by-passed without a system password.

The manufacturers of the drives have been informed through ethical disclosure (in April 2018), and users are being asked to rely on software encryption rather than the embedded hardware encryption. A particular risk is Windows BitLocker — which has a virtual monopoly in the market place for complete disk encryption — as it often relies on the hardware encryption used in the SSD drives.

The affected disks include:

  1. Crucial (Micron) MX100, MX200 and MX300 internal hard disks.

  2. Samsung T3 and T5 USB external disks.

  3. Samsung 840 EVO and 850 EVO internal hard disks.

The research team did not run tests across all the available SSD disks, but found that the following disks could be compromised with a range of attacks:

The researchers investigated the MASTER PASSWORD CAPABILITY bit in the firmware and which can be set so that a factory-set Master password can unlock the drive. For the Samsung MX300 SSD it was found there was no need to set this bit as it could be reset by decrypting the RDS key. The master password thus protects the main encryption key used for the disk. In the case of the MX300 drive this is “” (an empty string!!!!!!!!!!!!!). Yes … you read that correctly … the password which releases the encryption key for the whole disk is an empty string (32 NULL characters — 32 0x00 byte values):

Within disk encryption, a system can either use software encryption (and where the data is encrypted before it is presented to the disk) or use hardware encryption (and where the operating system relies on the disk hardware to encrypt and decrypt). The setting for software or hardware encryption is defined in a Group Policy [here]. If the disk supports hardware encryption it will use that option. For the disks effected, a complete reinstall it required, and where the group policy is changed to software encryption. Otherwise a software encryption package named VeraCrypt is recommended as an alternative to BitLocker.


If you need to have full disk encryption, and you have an SSD drive, you just cannot trust hardware encryption. At least with software encryption the data is encrypted before it gets anywhere near your disk. A master password of “” (an empty string — or 32 NULL characters) is shocking, and negligence of the highest kind.

The researchers recommend using an open sourced (and auditable) software encryption method such as VeraCrypt, along with hardware encryption. VeraCrypt is based on the well-loved TrueCrypt open-sourced software distribution:

veracrypt/VeraCrypt Disk encryption with strong security based on TrueCrypt – veracrypt/VeraCryptgithub.com

For full article, click here.

#DigitalSecurity #CyberSecurity #DataSecurity #XOTIC #Hack #Breach #CyberDefense #CyberAttack #Encryption #patentedencryption

Secure Channels BRINGS to market data encryption, cryptographic protocols, and access control/ privileged access/ user authentication technologies in the form of licensable tools, end user platforms and purpose-built solutions, SERVING software & application developers, hardware OEM and device manufacturers, and enterprise organizations, WHO place a premium on cybersecurity, risk reduction, and operational performance benefits or competitive differentiation provided, ALLOWING them to replace, augment, or introduce to new cryptography into their products or environments, PROVIDING material and measurable cybersecurity protections, risk reduction and data breach mitigation.

Secure Channels Inc. 

16400 Bake Parkway, Suite 100  |  Irvine, CA 92618  |  T: (855) 825-6766  |  E: contact@securechannels.com

Follow us!

  • Facebook
  • LinkedIn
  • Twitter

Copyright © 2020 Secure Channels Inc. All rights reserved