Researchers develop simple attack against disk encryption

by billso on Thursday, 21 February 2008

From BoingBoing comes the most disturbing information security news I have read in a while.

We’ve long assumed that disk encryption is a robust means of storing confidential data on a computer. Disk encryption products work by encrypting all of the data on a drive, including documents, the operating system, swap files and caches. Disk encryption software can start up before the operating system to let the user enter their password or key. Disk encryption software can also be used on USB storage, as well as partitions on an unencrypted drive.

Disk encryption helps travelers keep their data confidential. My post of 5 Janaury 2008 addresses how cryptography works.

Warm RAM, lost key

Princeton University researchers have developed a simple attack that can retrieve the BitLocker disk encryption key from a Windows Vista computer. The user has to have logged into the computer so that the encryption key is then stored in the computer’s RAM. If the computer is in sleep mode, running a screen saver, or still warm, the encryption key can be extracted from RAM. The extracted data can be saved to a USB storage device, so that another computer can take its time to analyze and fix any errors in the extracted key.

The same kind of attack will also work on Apple FileVault, TrueCrypt, PGP Whole Disk Encryption, and other disk encryption products. The research report is available as a PDF file at this web site.

Declan McCullagh has posted his analysis of the report at news.com. he points out that this vulnerability has been used by other researchers to pull data through a FireWire connection to an iPod. It is difficult to harden a computer against this form of attack, but the attack must be carried out in person. It cannot be done across the Internet, at least in the form that the researchers demonstrate. The attacker needs a USB drive preloaded with the attack software. A can of Dust-Off might also be helpful, to chill the RAM.

Watch that drive

The easiest way to harden a computer against this attack is to maintain physical control of the encrypted drive. Don’t leave it alone. Update the encryption software regularly, as the software developers will more than likely develop their own patches to wipe the key from RAM.
This YouTube video produced by the research team is a brief overview of the vulnerability and the attack.

Tagged as: crime, crypto, hardware, iPod, Microsoft, security, software, storage, USB, Windows

http://billso.com billso

Here’s an article about this topic from the <a href=http://www.nytimes.com/2008/02/22/technology/22chip.html” rel=“nofollow”>New York Times
http://billso.com billso

Glenn Fleishman of TidBITS has posted a long article about this issue.
http://billso.com billso

According to news.com via BoingBoing, the flaw in Mac software has been confirmed by Apple. Macs are just as vulnerable as the Windows Vista computers discussed in the YouTube video above.

But Apple has not announced a patch yet.

Maybe after TED is done, eh? I’m waiting.