Threat Center Security News Disk encryption vulnerability found in attack on RAM
Disk encryption vulnerability found in attack on RAM Print E-mail
Written by Rebecca Mints   
Thursday, 21 February 2008 12:14

A new way of attacking what would be considered "secure" memory systems has been discovered by a team of researchers at Princeton's computer science department.  Laptops are the most susceptible.

 

Click Here for Team Gtron™ Solution Theory

 

The attack works by circumventing the "disk encryption."  Some common examples that were overcome by the team at Princeton are Microsoft's BitLocker, Apple's FileVault and Linux's dm-crypt, and because many encryption systems have a common architecture this method is likely to work on many others. 

"We've broken disk encryption products in exactly the case when they seem to be most important these days:  laptops that contain sensitive corporate data or personal information about business customers," Princeton Ph.D. candidate Alex Halderman remarks.  "Unlike many security problems, this isn't a minor flaw; it's a fundamental limitation in the way these systems were designed." 

Since laptops are commonly put into sleep or hibernation mode they are particularly open to this type of attack because it is most effective on computers that are on but locked.  A way to combat this is to turn a machine completely off, but even this won't always be an effective countermeasure. 

The flaw that is exploited in the attack is the fact that the information stored in a computer's RAM, including encryption keys, does not actually disappear instantly when it is powered off or the memory chip removed.  It can actually take several seconds to a minute in a normal environment and considerably longer if the chips are cooled.  The Princeton team wrote code that was able to access encrypted information after a computer was turned off and rebooted, and even after the encryption key had already started to decay by utilizing multiple derivative keys stored in memory to reconstruct the original. 

No special equipment is required to exploit the vulnerability either; the commonly used "canned air" for dusting keyboards can cool the memory chips down to -50 degrees Celsius by turning the cans upside down to release very cold liquid.  99.9% on the information stored in RAM could be recovered 10 minutes after the power had been cut. 

The team at Princeton has contacted several manufacturers so they are aware of the newly found vulnerability:  Microsoft, Apple, and the makers of open-source products dm-crypt and TrueCrypt.

 

Team Gtron™ Solution Theory:
We do not claim to be developers and have not tested or discussed this proposed solution with any of the solution providers. Our specialty is discovering existing vulnerabilities for our clients.

It almost seems that it would be simple enough for the developers of encryption software to create a function that dismounts the volume before going to sleep, finding the stored key, and then destroying/removing it from memory on suspend or take the simple route of flushing the memory. It might be more complex trying to programmatically finding all parts of the key but just destroying the first part found would do the job... although, destroying all of the key by flushing the memory would be ideal and easy to do.

Not to discredit the founders of this vulnerability and great job on the discovery but we do not agree with "There's not much they can do at this point," stated by Halderman in the full article. We strongly believe that something can always be done.

 

Reference:

Science Daily

http://www.sciencedaily.com/releases/2008/02/080221105820.htm

 

WTW Threat Level