RealTime IT News

Laptop Encryption Has a Point of Weakness

A team of researchers led by the Electronic Frontier Foundation (EFF), said they have found that a number of disk encryption technologies aren't quite so safe. They said their research was inspired by computer scientists who noted the fact that memory does not clear on reboots or in a low power state,

The problem is two-fold. One, computers don't zero out the RAM on a warm reboot and even when they've been powered down for a few seconds, their contents can be extracted. The second problem is that when a computer is put in a low-power state, either sleep mode or hibernation, decryption keys are still in memory and can in theory be accessed.

Getting at the decryption keys wasn't even the hard part, according to EFF Staff Technologist Seth Schoenm who took part in the test along with Princeton University and some private researchers.

"There is a fair amount of skill involved in developing these tools, but I don't think carrying out the theft requires very much skill," he told The results of the paper, entitled "Lest We Remember: Cold Boot Attacks on Encryption Keys," can be found here.

[cob:Related_Articles]The researchers found they were able to get at the contents of memory and crack a number of disk encryption technologies, including Microsoft's BitLocker, Apple's FileVault, and the open source programs TrueCrypt and dm-crypt. With the encryption keys and passwords stored in memory, the researchers were able to retrieve them and effectively turn off encryption.

Richard Moulds, executive vice president of product strategy for enterprise security vendor nCipher, said people make too many assumptions about security. "Just because it's encrypted doesn't mean it's safe," he said. "Security isn't quite that simple. People probably make assumptions because they assume it loses its contents on power off."

Evaluating the risk

To be sure, this only works on a laptop that is in a person's physical possession; there is no need to fear someone in the airport lounge or local Starbucks is zapping your computer. And if the computer has been powered down for any length of time, the technique won't work either.

The problem is, many people don't power down their laptops. Putting them in sleep or hibernate mode instead of turning them off saves power when the user starts it up again, since it doesn't have to go through an entire boot process.

"The problem with sleep mode is the contents of memory are still there," said Schoen. "In the case of hibernate they have been written to the hard drive. Those are potentially real issues, in the sense that if the computer can be woken up, all keys are in memory."

There was one exception: BitLocker in advanced mode actually worked out well. It's the basic mode that Schoen said was fairly useless. "BitLocker out of the box is most resistant in advanced modes, but most vulnerable in basic mode. There is a dramatic difference between basic mode and advanced mode," he said.

Schoen said the only truly safe strategy is to shut down the computer. Moulds added that there should be a hardware solution as well, which isn't too surprising since that's what his company specializes in.

"There always has to be a hardware solution," he said. "At the end of the day, software can be analyzed. There are numerous tools out there to see software executing on a CPU. You need to put that behind an iron curtain. That needs to be an isolated processor."