Just a few days ago I’ve wrote about how to protect sensitive data on the hard drive and other storage devices. But during the weekly meeting of “razmjenavjestina“, I’ve been warned (from one developer of luks) about a new attack that can easily dump the encryption key used by products such as Windows Vista BitLocker,Linux truecrypt, linux dm-cryp and Apple FileVaul. The concept of the attack doesn’t work on the encryption directly, but on the weakness of some computers to wipe the data when they boot up.

This attack is based in the fact that the encryption key for the HDD is stored in RAM while the computer is running, shutting down or restarting the computer should wipe off the data of the DRAM. But the princeton research team have found that the data is retained for seconds or minutes after the computer is powered off.

They also found that by freezing the memory chips with liquid nitrogen found in a can of air , they could get the data to remain in memory easily for as long as ten minutes, and often longer. Then the researchers have plenty of time to remove the ram and place it in another computer and dump the encryption key, with the appropriate software.

Here there’s the papers and the video that explain the proof of concept:
http://citp.princeton.edu/memory/

Solutions: I regret to say that at the moment there’s no simple method or mitigation for this attack.

I’ll try to keep this post update with the latest news, contributions will be appreciated .

Bruce Schneier point of view: Cold Boot Attacks Against Disk Encryption

This entry was posted on Monday, February 25th, 2008 at 12:18 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.