A team of researchers led by the Electronic Frontier Foundation (EFF), said they have found that a number of disk
encryption technologies aren’t quite so safe. They said their research was inspired by computer scientists who noted the fact that memory does not clear on reboots or in a low power state,
The problem is two-fold. One, computers don’t zero out the RAM on a warm
reboot and even when they’ve been powered down for a few seconds, their
contents can be extracted. The second problem is that when a computer is put
in a low-power state, either sleep mode or hibernation, decryption keys are
still in memory and can in theory be accessed.
Getting at the decryption keys wasn’t even the hard part, according to
EFF Staff Technologist Seth Schoenm who took part in the test along with
Princeton University and some private researchers.
“There is a fair amount of skill involved in developing these tools, but
I don’t think carrying out the theft requires very much skill,” he told
InternetNews.com. The results of the paper, entitled “Lest We
Remember: Cold Boot Attacks on Encryption Keys,” can be found here.
[cob:Related_Articles]The researchers found they were able to get at the
contents of memory and crack a number of disk encryption technologies,
including Microsoft’s BitLocker,
Apple’s FileVault, and the open source programs TrueCrypt and dm-crypt. With
the encryption keys and passwords stored in memory, the researchers were
able to retrieve them and effectively turn off encryption.
Richard Moulds, executive vice president of product strategy for
enterprise security vendor nCipher, said people make too many assumptions
about security. “Just because it’s encrypted doesn’t mean it’s safe,” he
said. “Security isn’t quite that simple. People probably make assumptions
because they assume it loses its contents on power off.”
Evaluating the risk
To be sure, this only works on a laptop that is in a person’s physical
possession; there is no need to fear someone in the airport lounge or local
Starbucks is zapping your computer. And if the computer has been powered
down for any length of time, the technique won’t work either.
The problem is, many people don’t power down their laptops. Putting them
in sleep or hibernate mode instead of turning them off saves power when the
user starts it up again, since it doesn’t have to go through an entire boot
process.
“The problem with sleep mode is the contents of memory are still there,”
said Schoen. “In the case of hibernate they have been written to the hard
drive. Those are potentially real issues, in the sense that if the computer
can be woken up, all keys are in memory.”
There was one exception: BitLocker in advanced mode actually worked out
well. It’s the basic mode that Schoen said was fairly useless. “BitLocker
out of the box is most resistant in advanced modes, but most vulnerable in
basic mode. There is a dramatic difference between basic mode and advanced
mode,” he said.
Schoen said the only truly safe strategy is to shut down the computer.
Moulds added that there should be a hardware solution as well, which isn’t
too surprising since that’s what his company specializes in.
“There always has to be a hardware solution,” he said. “At the end of the
day, software can be analyzed. There are numerous tools out there to see software executing on a CPU. You need to put that behind an iron curtain. That needs to be an isolated processor.”