Accessing data on Self-Encrypting drives while a system is in sleep state

2016-08-12T00:00:00
ID LENOVO:PS500026-NOSID
Type lenovo
Reporter Lenovo
Modified 2016-08-12T00:00:00

Description

Lenovo Security Advisory: LEN-2910
Potential Impact: Physical access of encrypted data
*Severity*: Informational

Summary:

At the BlackHat Europe 2015 conference, KPMG disclosed an industry-wide vulnerability affecting hard disk drives that employ hardware-based Full Disk Encryption (FDE). These drives are called Self Encrypting Drives (SEDs) and they have dedicated hardware that encrypts the data stored on them.

By compromising the physical security of the devices, the researchers were able to access data on the SED drives while the system was powered on or in sleep mode (ACPI Mode S3).

The researchers tested several systems from different manufacturers and found this to be an industry issue.

Mitigation Strategy for Customers (what you should do to protect yourself):

Lenovo recommends customers always deploy physical protection of their system and to ensure best system security when the system is unattended, hibernate or turn the system off instead of using sleep mode. For all Lenovo products, this will prevent all of the attack methods detailed in the report. Customers that need to protect computer assets should always maintain physical control of all systems as part of security best practices.

Prior to the researchers’ report, Lenovo proactively mitigated some of these attacks, which was ahead of the other systems tested in the research. ThinkPad systems with an SED installed and configured with a hard drive password will automatically reboot if drive removal is detected while the system is in sleep mode.

Also, an option is available in the ThinkPad BIOS to require a “password on restart” where, if a system is forced into a Windows bluescreen, the system will require a password before restarting. Lenovo recommends customers who are concerned about this type of attack to enable this setting.

Please refer to the ThinkPad BIOS security white paper for additional recommended ThinkPad BIOS configuration security best practices.

Acknowledgements:

Thanks to Daniel Boteanu and Danny Garwood of KPMG Canada

Other information and references:

The report from KPMG Canada is available here:

<https://www.blackhat.com/eu-15/briefings.html#bypassing-self-encrypting-drives-sed-in-enterprise-environments>

Revision History:

*Revision*

|

*Date*

|

*Description*

---|---|---
1.0 | 11/12/2015 | Initial release