Computer scientists have discovered a novel way to bypass the encryption used in programs like Microsoft's BitLocker and Apple's FileVault and then view the contents of supposedly secure files.
In a paper (PDF) published Thursday that could prompt a rethinking of how to protect sensitive data, the researchers describe how they can extract the contents of a computer's memory and discover the secret encryption key used to scramble files.
"There seems to be no easy remedy for these vulnerabilities," the researchers say. "Simple software changes are likely to be ineffective; hardware changes are possible but will require time and expense; and today's Trusted Computing technologies appear to be of little help because they cannot protect keys that are already in memory. The risk seems highest for laptops, which are often taken out in public in states that are vulnerable to our attacks. These risks imply that disk encryption on laptops may do less good than widely believed."
The nine researchers listed on the paper include San Francisco-area programmers Jacob Appelbaum and Seth Schoen and a team of Princeton University computer scientists such as graduate students J. Alex Halderman and Nadia Heninger and professor Ed Felten. The paper is titled "Lest We Remember: Cold Boot Attacks on Encryption Keys."
Their technique doesn't attack the encryption directly. Rather, it relies on gaining access to the contents of a computer's RAM--through a mechanism as simple as booting a laptop over a network or from a USB drive--and then scanning for encryption keys. How the scan is done is one of the most clever portions of the paper.
The reason I say this research could prompt a rethinking of how to protect data is that many of us who use encrypted file-systems believe that if our computers are lost or stolen, our data will be secure. But if a thief (or nosy border guard, or FBI agent) nabs my laptop locked with a screen saver or in sleep mode with the RAM intact, the paper shows that encryption provides no protection.
"You can't rely on the screen saver," said Peter Gutmann, a computer science professor at the University of Auckland in New Zealand who has done related work but is not affiliated with Thursday's paper. "If you really are that worried, you have to turn off your PC."
The researchers say their technique works against Apple's FileVault, the BitLocker Drive Encryption feature included in the Enterprise and Ultimate versions of Windows Vista, the open-source product TrueCrypt, and the dm-crypt subsystem built into Linux kernels starting with 2.6. The other researchers include William Clarkson, William Paul, and Ariel J. Feldman.
In its marketing literature, Apple promises that, with FileVault turned on, "the data in your home folder is encoded and your information is secure if your computer is lost or stolen." When I contacted the company for comment, Apple would say only this: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
Microsoft was more forthcoming, saying: "The claims detailed in the Princeton paper are not vulnerabilities, per se, but simply detail the fact that contents that remain in a computer's memory can be accessed by a determined third party if the system is running."
"BitLocker is an effective solution to help safe guard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs. Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use," Microsoft said. "If a system is in 'Sleep mode' it is, in effect, still running. We recognize users want advice with regards to BitLocker and have published best practice guidance in the Data Encryption Toolkit (available here). In it we discuss the balance of security and usability and detail that the most secure method to use BitLocker is hibernate mode and with multi-factor authentication."
At this point, clever readers might be thinking: If the attack involves executing a specific memory-dump utility while rebooting, then Apple, HP, Toshiba, and so on can simply lock down the hardware to prevent any such utility from being run until the RAM can be safely wiped. Problem solved?
Well, not so fast. Another interesting technique that Thursday's paper describes is how to supercool the RAM chips with a can of compressed air held upside-down. Then the cooled memory can be physically extracted and inserted in another computer owned by the attacker. (If the memory is permanently affixed to the motherboard, there are still other methods [PDF] that can be used.)
The paper states: "Contrary to the expectation that DRAM loses its state quickly if it is not regularly refreshed, we found that most DRAM modules retained much of their state without refresh, and even without power, for periods lasting thousands of refresh intervals."
"At normal operating temperatures, we generally saw a low rate of bit corruption for several seconds, followed by a period of rapid decay. We obtained surface temperatures of approximately −50 degrees C with a simple cooling technique: discharging inverted cans of "canned air" duster spray directly onto the chips," according to the paper. "At these temperatures, we typically found that fewer than 1 percent of bits decayed even after 10 minutes without power. To test the limits of this effect, we submerged DRAM modules in liquid nitrogen (ca. −196 degrees C) and saw decay of only 0.17 percent after 60 minutes out of the computer."
Gutmann, the New Zealand computer scientist, previewed this kind of attack in a 1996 paper that said: "To extend the life of stored bits with the power removed, the temperature should be dropped below -60 degrees C. Such cooling should lead to weeks, instead of hours or days, of data retention."
Play video
There are currently no comments for this post.