« Head Tracking for Desktop VR Displays using the WiiRemote
How kids learn to Lie »

Hard disk encryption vulnerable to key retrieval with physical Access

Princeton have a great Youtube video and material on retrieving secret keys used in hard disk encryption called “Lest we remember: Cold boot attacks on Encryption keys”.

My quick summary of their material:

  • Memory takes some time to erase after a power shutdown
  • Putting a laptop to sleep still provides some power to memory
  • Keys can be recovered from memory
  • Disk encryption is probably vulnerable is a user puts their laptop to sleep (as keys are stored in memory)

While disk encryption will still increase security from casual or opportunistic theft of a laptop, it may not provide much protection from a targetted attack.

This seems a little ironic that software used to protect a laptop contents when it’s stolen or lost may not actually do so depending on if users shutdown or sleep. I can vouch that with Windows Vista on a laptop, bootup and shutdown takes way longer than putting the laptop to sleep. So, are your users taking convenient shortcuts to save time?

Anyway, back to Princeton, from their Abstract:

Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard.

We use cold reboots to mount attacks on popular disk encryption systems — BitLocker, FileVault, dm-crypt, and TrueCrypt — using no special devices or materials.

Youtube link to ‘Lest we remember: Cold boot attacks on Encryption keys’

Physical access is always key to security. This style attack would suggest that sensitive information is still vulnerable if stored on a laptop. This then becomes a game of risk and probability for an organisation:

  • What is the chance of a targetted attack?
  • Is laptop theft occuring for corporate espionage or by drug addicts trying to get cash?
  • Is more “perception” damage caused by unprotected laptop theft? (I.e. Saying it’s encrypted reduces negative perception)
  • What is the value of the data on the laptop?
  • Is the information time sensitive? (e.g. Corporate Buyout within the month)
  • Is the information privacy related information which once released can not be changed (e.g. Date of Birth, Tax File Numbers, social security numbers)
  • What is the chance of a laptop thief knowning about recovering keys used in disk encryption?
  • What is the window of exploit once a laptop has been lost/stolen?

This is a great example of how physical access can really undermine security, even if encryption is used.

The Princeton site and material relating to this attack can be found at http://citp.princeton.edu/memory/

This entry was posted on Sunday, February 24th, 2008 at 12:25 pm and is filed under Tech, Software, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply