It's an old adage that no security measure is worth anything if an attacker has physical access to the machine, but things like heavy-duty disk
encryption are supposed to at least slow things down. Sadly, that may not actually be the case, as a group of Princeton researchers has just published a paper detailing an exploit that requires little more than a spray duster and a screwdriver. Since the encryption key for systems like BitLocker and FileVault lives in RAM, all an attacker has to do to get it is cool the RAM modules with the air duster held upside down, yank the DIMM, and insert it into another machine, where it can then be read to access the key. Of course, this assumes that you've already typed in your password, but check the video after the break to see how long bits in RAM stay written -- even if you've turned off your computer, there's a chance the key can still be read. Looks like there's an actual benefit to MacBook Air's soldered-in RAM after all, eh?
posted February 21st 2008 6:18PM
Just watched the video - very nice, except many computers will not boot from USB, especially not by default. I'm not saying this won't work for almost all of them, but many, especially older ones, ie more than maybe 2 years, will not be able to boot from USB, and will not have that as a default option.
I hate that woman's voice. It's annoyingly ominous
Am I the only one who can see that the Apple/Soldered in RAM comment was a joke? You know, 'Ha ha, it's only good benefit is that it stops obscure and technically attempts at stealing encryption codes'.
Not many seemed to.
They got "Kennedy's assassination" file. o_O
So if your machine boots off the HD first its less likely they can steal the data?
Still grabbing the RAM and putting it into another machine works.
Easy way to stop the method shown in the video: Disallow booting from anything from the usb ports.
"Looks like there's an actual benefit to MacBook Air's soldered-in RAM after all, eh?"
Yeah because removing solder is such a challenge - ?
Well one simple safety (which ofc wouldn't help if the computer is stolen) would be to disable boot from USB and add a BIOS password. then they'd have to remove the ram to get the password (or reset the bios) and that takes a bit longer to do.
but ofc the safest thing is to not let your computer slip out of sight.
What happens if I have the contents of my RAM encrypted? Is the key then secure?
(Sorry for double post, first reply is attached to a comment it does not depend on...)
Man, this means you'd be really screwed if you left your BitLockered laptop in the back on a -50C taxt!
Man, this means you'd be really screwed if you left your BitLockered laptop in the back on a -50C taxi!
do'h! didn't mean to double post.. thought i hit the escape key in time. the dangers of broadband I guess!
Several shortcomings have been identified in FileVault's use of cryptography, such as the use of the CBC mode of operation which can lead to watermarking attacks, reliance on 1024-bit RSA and 3DES-EDE which have an effective key size below that of 128-bit AES, and unsafe storage of keys in the OS X "safe sleep" mode. (This is the attack in the post)
So it really does not matter that the MacBook Air has soldered-in RAM.
More to the point, this is not so much a shortfall for the disk encryption systems but a flaw in computer architecture in general. This attack will only work once your system is up and running and after the drive has been unencrypted. Just the same as hitting from the network once it's on. A good DAR system will over write the keys in RAM on a shutdown, Dismount or restart. But a reset, crash or if power is abruptly interrupted no system can over write its keys leaving them in RAM.
Easy Fix: Never leave a running system unattended.
noted that they were booting to ubuntu from the external hard disk when hacking windows vista.
This is probably why US DoD destroys TS RAM. I wonder how long they knew about this?
There's a sure-fire, hack-proof solution: full disk encryption on the hard drive.
- the cryptographic key never leaves the hard drive
- it's stored on an ASIC in the hard drive with no probe points
- any attempt to remove the ASIC from the drive package locks the drive and cuts power to the chip, erasing its memory
For those serious about security, stop messing with bandaids and lock it down tight. Here's a more detailed description of this: http://www.seagate.com/docs/pdf/security/Princeton_RC514_1_0702.pdf
http://storageeffect.com
alert("this is interesting, ok?")