Cold Boot Attack Defeats Disk Encryption Software - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Business & Finance
05:32 PM
Connect Directly

Cold Boot Attack Defeats Disk Encryption Software

If the chips are kept at low temperatures, residual data can easily be recovered, researchers found.

Researchers from three groups on Thursday published research showing that disk-based encryption schemes across multiple operating systems can be circumvented to reveal protected data.

In the paper, "Lest We Remember: Cold Boot Attacks on Encryption Keys," the researchers from Princeton University, the Electronic Frontier Foundation, and Wind River Systems revealed that computer memory, contrary to popular belief, retains data for a brief period after a computer is turned off and that cooling memory chips can prolong the persistence of data in memory.

As a consequence, disc-based encryption products that store decryption keys in memory, like Apple's FileVault, Linux's dm-crypt, Microsoft's BitLocker, are vulnerable to attack.

"Most experts assume that a computer's memory is erased almost immediately when it loses power, or that whatever data remains is difficult to retrieve without specialized equipment," the paper says. "We show that these assumptions are incorrect. Ordinary DRAMs typically lose their contents gradually over a period of seconds, even at standard operating temperatures and even if the chips are removed from the motherboard, and data will persist for minutes or even hours if the chips are kept at low temperatures. Residual data can be recovered using simple, nondestructive techniques that require only momentary physical access to the machine."

In his blog post, Princeton computer science professor Edward W. Felten, one of the authors of the report, explains that cooling DRAM chips by spraying them with inverted cans of compressed air has the effect of freezing the data in memory for 10 minutes or more. If liquid nitrogen is used, the data can be preserved for hours without any power. During this period, a knowledgeable attacker could conduct a "cold boot" attack to access any encryption keys.

The findings raise serious questions about the ability of software-based disk encryption to protect against data theft. A FAQ document posted by the Center for Technology Policy at Princeton advises that computer users fully shut down their machines "several minutes before any situation in which the computers' physical security could be compromised."

In addition, the research paper warns that other data protection techniques, including DRM schemes and SSL sessions, could be vulnerable to this form of attack.

"There seems to be no easy fix for these problems," Felten said. "Fundamentally, disk encryption programs now have nowhere safe to store their keys. Today's Trusted Computing hardware does not seem to help; for example, we can defeat BitLocker despite its use of a Trusted Platform Module."

"We're seeing that software-based protection isn't great, and that isn't a surprise to anyone," said Steven Sprague, CEO of Wave Systems, a maker software for hardware-based encryption systems. He said that TPM, while it may be vulnerable in bulk-encryption scenarios, should still be safe for authentication.

In the long term, Sprague expects Intel's Trusted Execution Technology will prevent this sort of attack. But in the meantime, he recommends Seagate hard drives that include hardware-based full disk encryption.

A video elaborating on techniques discussed in the paper is available on YouTube.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
10 Cyberattacks on the Rise During the Pandemic
Cynthia Harvey, Freelance Journalist, InformationWeek,  6/24/2020
IT Trade Shows Go Virtual: Your 2020 List of Events
Jessica Davis, Senior Editor, Enterprise Apps,  5/29/2020
Study: Cloud Migration Gaining Momentum
John Edwards, Technology Journalist & Author,  6/22/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll