9

I've been reading up on Self Encrypting Drives and I'm having trouble understanding how the Shadow MBR is not a security problem.

I found these slides which indicate that the Shadow MBR is stored in clear text (which makes sense because it needs to be presented before the password is given to unlock the drive). Give than, it seems like it should be vulnerable to the Evil Maid Attack on defeating whole disk encryption.

That post deals with software based FDE, but the principal should be the same: find the one piece of software that isn't encrypted and replace it with something malicious.

However, from this post, the Shadow MBR is supposed to be inaccessible:

The MBR shadow is a 128 MB area that is totally “off the map”. If the OS or a virus were to read each LBA on the drive from LBA 0 to MAX LBA it would still not to be able to see it or modify it.

Problem solved! Except, here is where things get confusing (for me). This post on unlocking SEDs, has this to say:

When a SED is configured with pre-boot authentication, only the 128MB OPAL “MBR Shadow” volume is visible to the OS

So, which is it? Is the Shadow MBR totally "off the map" or is it the only thing visible to the OS? And, if it's visible and mountable at the OS level, what is to stop an attacker from replacing your PBA with their own?

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
Dominic P
  • 365
  • 1
  • 10
  • 1
    In the Blackhat slides that you quoted, they say "Only Shadow MBR is visible, read-only", this makes it visible to the OS but cannot be modified. The PBA also doesn't handle decryption itself but only passes the password to the drive, so it doesn't need access to the DEK. – nullgraph Oct 28 '16 at 00:37
  • Thanks for the reply. I missed that part from the slides. That is good news. Of course, if an attacker were able to modify the PBA, they wouldn't necessarily need access to the DEK to compromise security. They could simply collected the password the next time it was entered and send it to an offsite server. – Dominic P Oct 28 '16 at 17:08

1 Answers1

4

The point is that the Shadow MBR is provided by the drive itself, so it could be made read-only (or, more likely, provided by firmware, and if the manufacturer did things properly, the firmware won't be writable in locked state¹). Still, albeit it makes the FDE-unlocking attack harder, an attacker could always put a SATA filter in front of the locked drive that performs the key stealing (the same procedure but with hardware instead of software).

¹ Note it will probably still by directly flashing the hardware chips, though.

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • Thanks for the explanation. I've seen some hardware based attacks on SEDs, but I've never heard of a SATA filter. Do you know if such an attack has been demonstrated before? I would be curious to read about how it's done. – Dominic P Jul 16 '18 at 17:52