Disk encryption is no silver bullet, researchers say

SAN JOSE, Calif.--Disk encryption, which people rely on for protecting sensitive data on laptops, can fairly easily be foiled, security researchers said in presenting a paper on a so-called "cold-boot attack" at the Usenix security conference on Wednesday.

In a new type of attack that requires physical access to a target computer, an attacker can cut power to a machine that is in sleep mode, restore the power, and boot a malicious operating system from a USB drive or an iPod that can copy the RAM contents.

But won't the contents of the RAM be lost when the power is turned off? Actually, no, according to the team of mostly Princeton University researchers led by J. Alex Halderman, a doctoral candidate.

The group found that contrary to common knowledge, RAM data fades gradually over a period spanning from a few seconds to a few minutes after the power is cut. This could give an attacker time to read the RAM data, including encryption keys, after rebooting into a different operating system or removing the memory chips and placing them into a different computer.

This image shows how data on a RAM chip fades gradually over time. The far left shot shows an image in memory five seconds after the power was cut, followed on the right by 30 seconds, 60 seconds and 5 minutes.

(Credit: Center for Information Technology at Princeton University)

An attacker can extend the data decay time period by cooling the chip off while the machine is running with a spray of "canned air" commonly used for cleaning keyboards of dust. With liquid nitrogen, an attacker could take days to retrieve the data if needed.

Popular disk encryption schemes like Microsoft's Bitlocker in Vista don't protect against this type of attack, and actually make the laptops more susceptible, the researchers said.

"Overall, the significance is that disk encryption is not the silver bullet that we might have thought in its present state," Halderman, said in an interview after the presentation. "Individuals and businesses that rely on disk encryption need to pay much closer attention to the physical security of their devices."

In addition to Halderman, the research team included Princeton professor Ed Felten, as well as Nadia Heninger, William Clarkson, Joseph Calandrino, and Ariel Feldman of Princeton; Jacob Appelbaum; Seth Schoen of the Electronic Frontier Foundation; and William Paul of Wind River Systems.

This video created by the research team explains how the attack is done:

[alegr]

Is this news? We've heard this a month ago.

[ikramerica--2008]

Many months ago. No new arcane security threats for cnet to scare us with so they just dig up an old one?

[exmsft]

This is a lame, academic hack. Cold booting is a machine that has been off for several hours. A warm boot is a machine that has just been shut off. The odds of someone having just closed an important system, walking away from it, and allowing someone to come up to it seconds or minutes later - ideally armed with a can of coolant of some type is a pretty improbable attack. Possible, sure. But improbable.

[toaked]

Just to be clear with the concept Cold booting is not a machine that has been off for several hours.....Cold boot is when power of the computer is CYCLED (turned off and then on)...and warm boot is when the computer restarts under some software control,without triggering reset line. E.g.Control+Alt+Delete key combination on the original IBM PC...

[Lerianis]

I wouldn't say even probable. The fact is that WHENEVER I leave my computer when I am out somewhere other than my home, I NEVER LEAVE MY COMPUTER ON THE TABLE. I pack it up, take it with me even if I am just going to the bathroom, and that takes care of problems like this one.

[Imalittleteapot]

Ok, this would be more than just a tiny patch, but couldn't a kernel present a crypto key and memory management API that can manage that ram for you in a more secure way. It could do stuff like lock memory pages from being swapped, and couldn't the kernel simply overwrite the ram with new random data or zero it out before releasing back to another program. The basic idea is you would have a function called something like cryptmalloc where when you allocate that memory you're letting the kernel know, hey I need some secure memory. Then the kernel could maintain a list of memory ranges that have been allocated via cryptalloc. A cryptfree would overwrite the data before releasing it back to the OS with random junk. Or upon a shut down the kernel could just foreach the pages that had been allocated but not freed and overwrite them with random junk in case the app forgot to free it. Over writing it with junk data once or twice, would that work? I know protected memory and virtual memory complicate this, but I can't think of anything off hand that would make it straight out unpossible. I've never really done much kernel space code though so perhaps I'll be corrected here.

[Renegade Knight]

What I get out of the article is to just shut off your computer when you are done. I'm hard pressed to figure out how they think encryption makes it easier to gain access than say no protection at all.

[Imalittleteapot]

It's just that hacker mindset at work. As long as there is one way in there might as well be a million. It's just how they think. Yeah, just shut it off until someone in the data protection business finds an even more comprehensive solution which I'm sure they will soon.

[caxqueiroz]

Is this news?????? [2]

[Heebee Jeebies]

I think of the people here miss the point. It is highly probable that this would be used by law enforcement, by security at border crossings or by governments that don't respect peoples privacy like China. Even here in the US I could see this being used when dealing with what our government calls terrorists. According to the courts people can't be made to reveal encryption keys if prosecutors want what's on the computer they would use this in a heart beat. So anyone that doesn't see this being used is a blind fool.

[ferretboy88]

What do you mean by "what our govt calls terrorists"? You don't believe terrorists are real? Did you watch the 1972 Munich Olympics? Do you remember the 1993 world trade center bombing went Clinton was president? I suppose those were just a few guys who forgot they had a truck load of explosives in a van in the garage in the WTC. I guess the fact they were related to the 9/11 terrorist mastermind was just a coincidence. What do you call a person that puts a bomb vest on and kills school kids? Do be a fool, there are people in this world that would love to launch an attack in the US with a biological weapon that would kill millions. The govt is right trying to prevent this. You would be one of the first guys who gets his head cut off.

[fokkwp]

9/11, and now this!

[ferretboy88]

What does 9/11 have to do with this?

[ferretboy88]

What do you mean by "what our govt calls terrorists"? You don't believe terrorists are real? Did you watch the 1972 Munich Olympics? Do you remember the 1993 world trade center bombing went Clinton was president? I suppose those were just a few guys who forgot they had a truck load of explosives in a van in the garage in the WTC. I guess the fact they were related to the 9/11 terrorist mastermind was just a coincidence. What do you call a person that puts a bomb vest on and kills school kids? Do be a fool, there are people in this world that would love to launch an attack in the US with a biological weapon that would kill millions. The govt is right trying to prevent this. You would be one of the first guys who gets his head cut off.

[The_Decider]

Anyone with a clue should know that encryption is not a silver bullet for anything.

Of course a CNET writer wouldn't know this.

[Arbalest05]

I'm not buying it.
As the contents of the memory fades, bits of data are being lost (actually, just randomized), but the picture of the Mona Lisa is still recognizable, even when 70 or 80% of the bits that represent it are lost. In contrast, if only a single bit of an encryption key is lost, the key would not work.
If you think this method of retrieving encryption keys is cool, you should check out this YouTube video of how to make a pair of hover shoes with 4 magnets and 2 9volt batteries:
http://www.youtube.com/watch?v=40S8G2ZuRpE

[Imalittleteapot]

If one single bit is missing they key won't work, but it would be dramatically easier. For example, if only one bit is missing then you basically know the key. You would only have to try two. For the first set the missing bit to 0 and for the second set the missing bit to 1. It has to be one or the other. For every bit of the key the hacker knows they only have to try half the key combinations they did before if my math is correct.

[wlau]

Arbalest05, I am guessing you don't know how DDR and memory controller works... The fade pattern on those pictures make a lot of sense consider the order of how DDR rows and columns are refreshed/recharged. The whole thing about needing to keep the crypto key in the memory to perform decrypt opertions present the danger of someone doing a memory dump.

[t26l]

AFAIK, this hack is real but (so far) only usable on software-based encryption like BitLocker, TrueCrypt and FileVault.

If you use a FDE (full-disk-encryption) enabled drive, which does the encryption on a hardware/firmware basis, this hack is (so far) not usable.

Appreciate if someone knowledgeable clears the air.

[ferretboy88]

Why did you even invent this software? Thanks for making this easy to use software and telling the bad guys about it. Thanks for helping them out. Now start working on a program to prevent this.

[Imalittleteapot]

This is how computer security works. First rule of security is that no matter what you design, it can be hacked. So businesses can't rebuild stuff just because it might be insecure. Everything is insecure. All that matters is if someone currently knows how to hack it. If you can't prove it can be hacked then a company isn't going to fix anything. So the researchers are just proving it can be hacked. It is better that these tools are in the hands of both researches and the bad guys instead of the just the bad guys. Now the problem can be addressed in the future. Typically you can't defend yourself from an attack when you don't understand how it works. That's why it is critical that researchers figure out these attacks work so they can be explained to us so that protections can be built.