If the chips are kept at low temperatures, residual data can easily be recovered, researchers found.
Researchers from three groups on Thursday published research showing that disk-based encryption schemes across multiple operating systems can be circumvented to reveal protected data.
In the paper, "Lest We Remember: Cold Boot Attacks on Encryption Keys," the researchers from Princeton University, the Electronic Frontier Foundation, and Wind River Systems revealed that computer memory, contrary to popular belief, retains data for a brief period after a computer is turned off and that cooling memory chips can prolong the persistence of data in memory.
As a consequence, disc-based encryption products that store decryption keys in memory, like Apple's FileVault, Linux's dm-crypt, Microsoft's BitLocker, are vulnerable to attack.
"Most experts assume that a computer's memory is erased almost immediately when it loses power, or that whatever data remains is difficult to retrieve without specialized equipment," the paper says. "We show that these assumptions are incorrect. Ordinary DRAMs typically lose their contents gradually over a period of seconds, even at standard operating temperatures and even if the chips are removed from the motherboard, and data will persist for minutes or even hours if the chips are kept at low temperatures. Residual data can be recovered using simple, nondestructive techniques that require only momentary physical access to the machine."
In his blog post, Princeton computer science professor Edward W. Felten, one of the authors of the report, explains that cooling DRAM chips by spraying them with inverted cans of compressed air has the effect of freezing the data in memory for 10 minutes or more. If liquid nitrogen is used, the data can be preserved for hours without any power. During this period, a knowledgeable attacker could conduct a "cold boot" attack to access any encryption keys.
The findings raise serious questions about the ability of software-based disk encryption to protect against data theft. A FAQ document posted by the Center for Technology Policy at Princeton advises that computer users fully shut down their machines "several minutes before any situation in which the computers' physical security could be compromised."
In addition, the research paper warns that other data protection techniques, including DRM schemes and SSL sessions, could be vulnerable to this form of attack.
"There seems to be no easy fix for these problems," Felten said. "Fundamentally, disk encryption programs now have nowhere safe to store their keys. Today's Trusted Computing hardware does not seem to help; for example, we can defeat BitLocker despite its use of a Trusted Platform Module."
"We're seeing that software-based protection isn't great, and that isn't a surprise to anyone," said Steven Sprague, CEO of Wave Systems, a maker software for hardware-based encryption systems. He said that TPM, while it may be vulnerable in bulk-encryption scenarios, should still be safe for authentication.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.