Hard disk encryption vulnerable to key retrieval with physical Access
Posted in Tech, Software, Security on February 24th, 2008Princeton have a great Youtube video and material on retrieving secret keys used in hard disk encryption called “Lest we remember: Cold boot attacks on Encryption keys”.
My quick summary of their material:
- Memory takes some time to erase after a power shutdown
- Putting a laptop to sleep still provides some power to memory
- Keys can be recovered from memory
- Disk encryption is probably vulnerable is a user puts their laptop to sleep (as keys are stored in memory)
While disk encryption will still increase security from casual or opportunistic theft of a laptop, it may not provide much protection from a targetted attack.
This seems a little ironic that software used to protect a laptop contents when it’s stolen or lost may not actually do so depending on if users shutdown or sleep. I can vouch that with Windows Vista on a laptop, bootup and shutdown takes way longer than putting the laptop to sleep. So, are your users taking convenient shortcuts to save time?
Anyway, back to Princeton, from their Abstract:
Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard.
…
We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials.
Youtube link to ‘Lest we remember: Cold boot attacks on Encryption keys’
Physical access is always key to security. This style attack would suggest that sensitive information is still vulnerable if stored on a laptop. This then becomes a game of risk and probability for an organisation:
- What is the chance of a targetted attack?
- Is laptop theft occuring for corporate espionage or by drug addicts trying to get cash?
- Is more “perception” damage caused by unprotected laptop theft? (I.e. Saying it’s encrypted reduces negative perception)
- What is the value of the data on the laptop?
- Is the information time sensitive? (e.g. Corporate Buyout within the month)
- Is the information privacy related information which once released can not be changed (e.g. Date of Birth, Tax File Numbers, social security numbers)
- What is the chance of a laptop thief knowning about recovering keys used in disk encryption?
- What is the window of exploit once a laptop has been lost/stolen?
This is a great example of how physical access can really undermine security, even if encryption is used.
The Princeton site and material relating to this attack can be found at http://citp.princeton.edu/memory/