It's an old adage that no security measure is worth anything if an attacker has physical access to the machine, but things like heavy-duty disk
encryption are supposed to at least slow things down. Sadly, that may not actually be the case, as a group of Princeton researchers has just published a paper detailing an exploit that requires little more than a spray duster and a screwdriver. Since the encryption key for systems like BitLocker and FileVault lives in RAM, all an attacker has to do to get it is cool the RAM modules with the air duster held upside down, yank the DIMM, and insert it into another machine, where it can then be read to access the key. Of course, this assumes that you've already typed in your password, but check the video after the break to see how long bits in RAM stay written -- even if you've turned off your computer, there's a chance the key can still be read. Looks like there's an actual benefit to MacBook Air's soldered-in RAM after all, eh?
posted Feb 21st 2008 6:18PM
All that work just to get at someone's porn collection?
A man's porn is his life.
You can get into a lot of trouble if someone steals his pr0n:
http://en.wikipedia.org/wiki/Edison_Chen_photo_scandal
You can get into a lot of trouble if someone steals his pr0n:
http://en.wikipedia.org/wiki/Edison_Chen_photo_scandal
PORN FTW!
All that article just to fling more CRapple at us.Engaaaaaagdet does it again.
Thanks for reminding me why I hate CRapple. They pay blogs to hawk trash like this.
OH, YOU ATTACHED CR TO APPLE WHICH MAKES THE WORD CRAP! THAT'S CLEVER, YOU'RE CLEVER.
lol
lol, go Jake, best...comment...ever
Seriously, if there's one mention of anything Apple, why do people start going "OH MA GAWD, UR APLE FANBOIS!!11!", but if there's mention of anything Microsoft no one goes nuts. Hmmm...
wow, there's a benifit to getting a macbook air. who knew?
but seriously, that mention was unnecessary. stop being such apple supporters, engadget.
It's little quips like that that make many people love Engadget.
Oh, sure, if they so much as say the word 'MacBook' it automatically = Apple support? Come on, we all know that was a clever way to get in a hidden dis. ;-)
(^.^)
-
Blah blah blah blah...
Just shut the f*** up. If you don't like what you read, just go somewhere else. No one is forcing you to read news here. If you don't like the news, and don't like Mac (which is fine with me) you should leave the rest of us with the Engadget we like.
I'm tired of you whiners.
Thanks, good bye.
Well, if you're hardcore enough to want to get that out of someone's RAM, chances are you could de-solder the ram to get it. Come on. Lol.
@ JD
And by the time you have de-soldered the chips from the Apple, you have to re-solder them back to a compatible circuit board or device. By the time you have done that - assuming you did - the chips should have lost their memos or could have been zapped by ESD or even fried by the heat of the soldering tool itself.
If you want a secure laptop, use a remote-triggered C4 charge and pack the explosives near the hard drive. When the laptop gets stolen, push the button. KA-BOOM! Bye bye data. And Laptop. And Theif.
My Asus W7S has one stick of RAM soldered in... but that's certainly not a feature. It's quite the opposite, actually... It's pretty annoying.
Odd... when they mentioned soldered RAM I was thinking new-generation Asus Eees instead =P
Actually you don't have to take out the RAM, you can theoretically boot off of a thumb drive and grab the contents of RAM.
@Eddie: Wow, the "if you're not with us, you're against us" attitude incarnate. It's alive! Guess what, part of living in the free world is the right of dissent. I can actually frequent this board, disagree with everything you say just because and even call yo' mama fat, and there's not much you can do about it except do some whining of your own. Boohoo!
@ someyungai
Boot off a thumb drive and nab the contents of the RAM? How? If I am right, if you boot from a thumb drive it loads to the RAM, destroying anything in it!
What happens if I have the contents of my RAM encrypted? Is the key then secure?
@holo
I doubt it's possible to effectively encrypt your RAM. The decryption has to happen somewhere and the keys have to be held somewhere as well. I suppose if you had very little ram and the keys could be stored in the processor cache. or you could keep the keys section of the ram encrypted.
@aguilez
it's theoretically possible if the program on the thumb drive is small enough to only overwrite a tiny part of the ram. but then its hit and miss
Where would Engadget be if they couldn't work Apple into every post?
"Looks like there's an actual benefit to MacBook Air's soldered-in RAM after all, eh?"
No, Not really
I'd love to see Engadget's response if it was Dell or Microsoft that thought to solder the memory.
Microsoft soldering the memory just doesn't make sense, unless you're talking about on a game console or a Zune, since they don't make computers.
And if Dell did it, I doubt there'd be a fuss.
Actually, I'd be just as disgusted with a Dell that doesn't allow RAM upgrades. Restrictive hardware is restrictive hardware. Though, the Air is almost the size of a palm top. So I guess that a little leeway is justified when Apple deviates from hardware expectations.
I know, right? because.... besides maybe graphics done for some artistic job, what would someone with an Apple actually need to protect? Garage Band files? Dock icons? Warhol-ish-filter shots from the integrated webcam?
and really, what macbook air owner is going to do graphics? it's a fashion statement for people that check their e-mail and want to play the built in 3D chess (if it can even run that properly).
haha... soldiered in ram.
Vista Solders my PC memory everyday.....
I knew Apple wouldn't let me down.
The fact that Apple kept OSX out of the world of competitive operating systems by locking it to their hardware means they've let each and every one of us down.
...Google + Canonical FTW!
Clever hackers. Really, stuff like this is a bit cool.
wah waaaahh.
Pun *definitely* intended.
I love when they post How-To videos like this. It's so well thought out, too. Each step is slowly described and then executed. I'll be sure to try these tips the next time I want to obtain some direly important data.
P.S. No, my reply is not relevant to Liam's comment. Yes, I am riding on Liam's coattails. Forgive my ways of the whore.
Creepy. i have one of those duster cans right next to me as of this writing.
same.
i feel 1337er.
I got two cans by my side. That makes me über 1337er.
Steal this idea:
Put a capacitor on the RAM module that holds enough power to write a pass of random data onto the memory once power is cut. Ensure it works in extreme cold ;p
im no apple fanboy myself, far from it
but its still enjoyable watching you guys constantly hound engadget for every little apple mention
chillll out
Excuse me for being an idiot, but what's the air duster for?
Usually those can are filled with a liquid gas to push out the can's contents, if you turn the can upside down the stuff flows to the nozzle (because it's the heaviest of the can's contents) and the stuff is pretty cold when it reacts with the oxygen in the environment. Ice spray works like that. It's an easy way to cool stuff down quickly. So done my geek duty for today.
Cooling down the RAM
The stuff in the can doesn't "react" with oxygen. It just evaporates quickly.
Sorry to nit-pick, buy I can't let someone be wrong on the internet.
"evaporates quickly" thus removing heat from the sourrounding environment to power it's own transfer from one state to another liquid -> gas. To me that's a reaction, well not a classic oxygen reaction maybe I used the wrong term.
xkcd ftw!
It's not a reaction, it's a change in atmospheric pressure. I works just like any refrigerator or chiller. The gas used in the "can of air" is pumped into the can under pressure which changes it's state from a gas into a liquid. This process can be compared to the the condenser side of an air conditioner or chiller. This part gives off heat energy. When the can is turned upside down and the trigger pressed, the liquid escapes the can faster than intended and instead of changing states from a liquid into a gas in a controlled manner, (blast of air) it saturates the area briefly with the liquid. Almost instantly the liquid evaporates, which is the change of state from liquid to gas. This evaporation process needs heat energy to complete, so it "borrows" it from anywhere. In this demonstration, from the RAM chips. Again compared to the evaporator of an air conditioner.
No reactions, just changes of states and transfers of energy. Anyway, sorry to hijack this thread, just wanted to clarify.
Oh man, yet another advantage that Mac has. *rolls eyes* was that REALLY necessary?
was repeating what other people already said REALLY necessary?
You're right Nick, I also shouldn't vote because other people already voted for the candidate.
No, but you shouldn't fill up the page with redundancies that nobody wants to read.
And Engadget should stop posting Apple references in EVERY SINGLE POST that nobody wants to read. In fact, they should mark all the Apple references in green so that I know to skip those sentences. There's a revolutionary idea!
David, you're still posting...
hey hey dave, here's an idea!
ok, pretend that you're still VERY very concentrated in reading this, SLOOOWLY reach for that crowbar next to your mouse, do it now, he's not looking yet... ok hide it now, he's looking again... ok when i say "now", quickly turn around and hit him in the head with the crowbar, his would let go of his gun then you'll be free... wait for it... wait for it... NOW!!!
oh? turns out no one's forcing you to read engadget? pfffft all that for nothing...
apple fanboi ftw!!
Umm, if anything it was a swipe at Apple. The way some people get worked up...
EPIC FAIL!
And mark all the Microsoft references in red so you know who's ass to kiss. Jesus Christ, shut the hell up.
"Looks like there's an actual benefit to MacBook Air's soldered-in RAM after all, eh?"
Well, you could always solder the RAM yourself, you know. Heck, why not solder your beloved Mac to your head, that would be the most secure solution of all - and of great benefit to us all.
What is the MacBook Air fuss about? Someone at an Apple plant can de-solder the stuff to replace it. I mean they can be quite decadent but a $2.000 machine with irreplaceable parts? Come on. The paper says that you can deep freeze the modules with liquid oxygen/nitrogen and it will keep the data for hours. Enough time for someone who can carry around a bottle of liquified coolant to fiddle around with a desoldering apparatus. I mean this is nothing your average laptop thief would take advantage of anyhow.
i'd buy a $2.00 machine, even if it was apple.
Lol you're right, I used the wrong separator again. I just can't get a grip on the American system. $2'000.00 better? I hate that way, 2000 dollars and 14 cents should read 2.000,14$ not $2'000.14. But that's a language thing "point something" simply sounds better than "comma something" that's why you use it. But anyway, you know what I was trying to say don't you :p
After a comma comes the decimals! Your ways are wrong!!
2.000,00€
$20,000.00
What makes more sense, "full stop" being comma or a dot like in text?
Oh shi- never mind
Oh so it's a regular comma? I guess I always saw the wrong spreadsheets. Thanks for clearing that up. Learned something today :p
20.000,00€
$20,000.00
The "full stop" is not handled like that -at least in Germany. The Comma (to me) actually makes more sense in the way that it lets you "add" something to the number (a fracture of a currency unit) the way it is used in grammar to add a subordinate clause to your sentence. The dot itself is only used as an optical aid to help you distinguish long rows of numbers. I guess because of the language difference I adressed in my last post you guys simply came up with a virtually identical system and don't we all have a little trouble adapting to stuff that looks familiar but works totally differently? I guess I do.
I shouldn't try to write such trollish text and then not check multiple times.
It's supposed to be "a fraction of a currency unit". Guess I fractured some major brain stem or sth.. ^^
Where did you get your suits from?
The toilet store?
Goodnight.
Agreed, I'm so sick of it.
agreed, and i'm a kitchen.
Princeton researchers use Lenovo.
Word.
Agreed, I'm so sick of it.
1) Crap, that's a Thinkpad in the demo, my all-time fave laptop (on my 4th (5th?) now, a 4-yr-old T42.
2) Hey, wait, that's a REALLY old Thinkpad, as that layout (keyboard at the front, instead of that waste-of-space wrist rest (sayit3timesfast)) hasn't been used in, maybe, eight years.
Any idea how relevant this is to other vendors/models, other than the 'better than all the rest' (but slower than my T42) AirBook?
OK, so you can get the encryption key by freezing and yanking the RAM AFTER someone has already entered their password. While it is possible to grab this after the machine is shut down, essentially a thief would have to nab the laptop in question while in use (i.e. from someone's lap!)
Possible? Perhaps. Practical? Definitely not.
(unless maybe you work for some secret service agency)
Well, it's all about human error. This is an example of how human error could be particularly devasting, if there was really sensitive data on the drive. An example someone gave earlier; your porn collection.
This hack works when its also in standby/sleep mode. Most people with laptops just close the lid and sends it into that mode, and since its closed the person isn't using it meaning it can be on a table or in his bag that they forgot etc...
Whoever made the video seems to confuse sleep mode and powering off your computer. If your computer is in sleep mode, memory is still consuming power so the computer can quickly resume where you left off. Laptops go into sleep mode when you close the lid, as in the video. On the other hand, hibernation writes the contents of RAM to disk and then shuts down, and when you boot back up the RAM is restored from disk. But to do this the disk must be decrypted, since the key is no longer in RAM you'd get a prompt (thus hibernation mode is safe from this attack, although slower than sleep mode).
Does TPM solve this problem?
Theoretically, if the OS used the TPM for crypto AND password management... and if every computer had a TPM chip.
But for the most part, no.
On the other hand, this article makes the same mistake almost EVERY article on security makes: it's not enough to have an exploit (ie: a threat), you have to consider the risk (how likely/easy is it to do - in this case, pretty damned hard), and how much of cost will it create if you're hit with it - which given that you already have to type in your password for this too work and have two virtually identical computers running identical software... well, not much.
Most exploits tend to be like this.
Are they real? Yes.
Are they likely? No, not really.
Can the do much harm? Not really unless you've done something really dense.
[And for the people who are going to nitpick - please notice the word 'most' - which does not mean the same thing as 'all'.]
I believe it would be in a lot of implementations although if the actual key was never put into memory... then it shouldn't be.
TPM can help. BitLocker can be configured to use TPM _and_ PIN, so the cold-memory-attack would not reveal enough to unlock the bitlocker-Drive. This is bye the way the recommended configuration. Of course you need a TPM-Platform.
Umm, if you thought that line was praising Apple, then you all need to learn how to spot sarcasm. If they can pull your RAM out, you've already been jacked, so how is that protecting you?
Personally, if I got my hands on somebody else's Macbook Air, I think checking the contents of the drive would be the last thing on my mind. I think I'd figure out a way to keep it myself.
Unless the other person claimed it, of course :-)
Alright, lets clear up some misconceptions.
Macbook Air's soldered on RAM doesn't make a difference. Yes, you could have more time to take out a DIMM if you froze it first, but the point of the freezing is to have the bits remain in memory longer. So, if you opened up a Macbook air and froze the memory, it'd still give you more time to boot off an external drive and retrieve the keys, you'd just have to do it while on the Macbook air (and you better hope whatever you're booting from can be powered by the MBA's single USB port).
Also, TPM doesn't "solve" this problem. In fact, it is the problem. TPM stores these keys when the machine is turned off, but also when the machine is running, the OS retrieves these keys from the TPM chip and stores them in RAM to encrypt/decrypt the HDD on the fly. So, essentially, because of the TPM chip and the ability to do full disk encryption, you are able to run these attacks.
Essentially, this all boils down to the fact that things in memory stay in memory even when the machine has been turned off, provided you don't give it a chance to clear out memory cleanly, and you have enough time to retrieve them.
Whoa.. hold on there Fuzzy.
Kinda leaping over all sorts of things here. First off, the trick works by chilling the cells in the DRAM which will deplete over a short time, erasing the memory if it's not refreshed (that would be the D in DRAM - dynamic as opposed to static.
So unless you have a magic soldering iron that doesn't use heat, or you're doing something really amazing to insulate the DRAM chip from the heat (or you're shearing off the chips...) then there's really no way to use this trick if the DRAM is soldered on the motherboard. More over, you can't put it into another MBA for the same reason, although I suppose you could rig up some kind of assembly to put the frozen DRAM that's been cut out of the first MBA into the second...
And you can't retreive the keys by booting off it in slave mode because that's accessing the HARD DRIVE - not the RAM - assuming for the moment that slave mode doesn't use the CPU and RAM as a pass through controller - which would wipe the memory you wanted to copy in the first place.
The TPM is NOT used for password storage or even PKI management in either MacOS X or Windows without additional software (definitely not in Windows - Mac owners - correct me if I'm wrong here, but I'm fairly sure it's only used for the OS DRM - otherwise the JAS hacks wouldn't work). The TPM *could* be used for this, but isn't - so while it could actually fix this problem - since IT'S soldered down - see the previous paragraph - AND... not all Windows boxes have TPMs - it's still fairly rare, so it's all done in software - ie: in the memory.
Maybe I'm reading something wrong, Jeff, but from the paper it doesn't sound like removing the RAM (where the encryption key is being stored for on-the-fly usage) is necessary. Cooling it down is just to allow the residual imaging to be slower, which based on a lot of variables might not even be necessary. As far as extracting the keys from memory that still has the residual image, you could do it from the host machine without having to remove the memory, which is the reason I said the Macbook Air's soldered on memory doesn't make a difference provided you can run the tools on the host machine.
If you did use the host machine to do the imaging, then you risk the BIOS writing over parts of the memory with it's own code, which might lead to not getting your key, but I guess that's luck of the draw/difference in BIOS characteristics.
As for the TPM comment, you are right. I misspoke. The TPM chip doesn't store any keys, but it really isn't a mitigating control for this attack. The attack is essentially attempting to harvest the keys from memory to decrypt the hdd at a later time.
Definitely not even attempting to read the posts above me...
Thanks for ruining another comment thread babies.
This is an interesting post, did anyone notice? If I had a Thinkpad with the hardware security and whatnot I'd think it was reasonably secure. Granted, someone really has to want your data to go through this process. Unfortunately it won't take them that long.
Things are either secure or they're not. Looks like there are a lot more things to add to the NOT list.
You actually consider this exploit serious enough to worry about? You realise to make it work, they'd have to steal your laptop after you've logged on and then do all of this to get your passwords, then restore your laptop and get it back to you without you knowing it.
Or.. they could just sneak a keystroke logger on your system...
Or a worm
Or a...
This is one of the *hardest* exploits I've seen in a long time.
Yes but the purpose of full disk encryption is mainly to prevent loss of data on stolen laptops. In fact many people are putting it forward as the solution to that problem. Since in its current implementation it is not secure against attacks, then it is not a solution. I am sure in any future implementations on-chip decryption will be a must(that or encrypted ram, but lets not be too paranoid), at least for certain government standards.
For most users this is most likely not a problem, since their data is really not that important.
To me this hack was shockingly easy, while I admit I am not at all concerned with someone taking my laptop and copying its data, it is a legitimate concern.
I'm not "worried" about it. I'm a firm believer that any security precautions /purchases / implementations should be based on a rational evaluation of the actual threat and cost of exposure. Otherwise the cost is boundless.
Once something like this is out there: it makes a system that had been perceived as quite secure even when physical security is compromised not so shiny. Especially if you're using it to defend highly sensitive data and not just p0rn.
You think people smart enough to encrypt their hard drives use windows?
Encrypted root isn't even /in/ the windows installation options.
You can forget software exploits.
my whole company uses Windows and all 500 or so laptops currently run full disk encryption.
I want that attack program they use...anyone got a copy of it? id love to hack a few harddrives at work for fun :)
"Looks like there's an actual benefit to MacBook Air's soldered-in RAM after all, eh?"
Clearly not if you watched the entire video instead of just reporting on it.
At timestamp 5:06 they clearly state that they were able to successfully attack the Mac File Vault encryption software.
The attack is not limited to physically taking out the RAM.
...and then, to their utter horror, they will realize that the integrated mic and webcam and gps pcmcia card send snapshots to my email account every 20 minutes.
Just want to let you know Nilay Patel, that it should be "a group of researchers HAVE published, not has". I'm pretty sure that is correct. I just noticed it while glancing quickly. No harm.
A group HAS published. It's already correct.
So what if you store your keys on a hardware token? are the keys still stored in memory?
What OS was the computer using with that h4x program? Was that Ubuntu or something?
yeah.
ubuntu ftw.
On Leopard there is an option to use secure virtual memory. And from the apple docs:
"It’s possible that sensitive information contained in your computer’s RAM while you are working will be written to the hard disk in virtual memory and remain there until overwritten.
If you are concerned that sensitive information is being left on your hard disk, you can eliminate the risk by using secure virtual memory. Secure virtual memory encrypts the data being written to disk."
So based on this I would imagine this hack would not work if you had some sort of encryption running on the memory itself.
http://docs.info.apple.com/article.html?path=Mac/10.5/en/11852.html
This could work well in espionage.
As soon as someone switches off and leaves their laptop (or desktop), insert your usb key as quick as poss, and boot from it, rip the data on the ram, switch the computer off, leg it.
Then in your own time, find the key from the data on the usb stick, then come back when you have more time with the system (or steal the system). Et voila, decrypted data.
Not that I approve of this type of thing. Just indulging my James Bond fantasies.
Just one quick question: Out of interest, Can the Macbook Air boot off its usb port?
This is a good attack. It takes advantage of vulnerabilities not normally considered or protected against. Point is, most data theft comes from the inside. In a situation where I want data, but am not authorized to access it, I would know where the data resides, and this is how I would get it.
Keystroke loggers are either installed, and you might not have admin rights to do so, or hardware devices, and the place I work has computers that will alarm if you unplug any hardware, open the case, or connect any hardware. If I connected the external drive here, the alarm would sound, but I could be gone with my device before anyone responded.
It's a nice hack.