Black Hat Europe资料eu-15-Boteanu-Bypassing-Self-Encrypting-Drives-SED-In-Enterprise-Environments-wp.pdfVIP

Bypassing Self-Encrypting Drives (SED) in Enterprise Environments Daniel Boteanu dboteanu@kpmg.ca Kevvie Fowler kevviefowler@kpmg.ca November 2nd, 2015 Abstract Most enterprises employ full-disk-encryption (FDE) in order to protect the confidentiality of the data stored on laptop drives. In the recent past, hardware-based FDE solutions have gained increased popularity. Drives equipped with hardware-based encryption capabilities are called Self-Encrypting Drives (SED) and have the advantage of offloading the encryption from the Operating System to dedicated hardware in the drive. In this paper we analyze 4 attack techniques that can be used to gain access to the data of a SED managed using the Trusted Computing Group (TCG) Opal Storage Specification standards, if the laptop is powered on or in Sleep Mode. One of these techniques had been previously analyzed for SEDs in the ATA Security Mode whereas the other 3 are to our knowledge novel techniques introduced by this paper. Although not all configurations were vulnerable to all of attack techniques, we were able to gain access to the data on the SED using at least 2 techniques for each configuration tested. Responsible Disclosure The issues identified in this paper surround the usage of SED drives with the Opal standard in enterprise environments. However, these issues are not due to erroneous or incomplete implementations of the Opal standard by the various vendors. Instead, they are due to a limitation of the standard that is not well known within the industry. We contacted TCG and disclosed