A team of academics from Princeton University has demonstrated a new class of computer attacks that compromise the contents of ‘secure’ memory systems, particularly in laptops.
The attacks overcome a broad set of security measures called ‘disk encryption,’ which are meant to secure information stored in a computer’s permanent memory. The researchers cracked several widely used technologies, including Microsoft’s BitLocker, Apple’s FileVault and Linux’s dm-crypt, and described the attacks in a paper and video published here.
The attacks are particularly effective against computers that are turned on but are locked, such as laptops that are in a ‘sleep’ or hibernation mode. One effective countermeasure is to turn a computer off entirely, though in some cases even this does not provide protection.
The new attacks exploit the fact that information stored in a computer’s temporary working memory, or RAM, does not disappear immediately when a computer is shut off or when the memory chip is taken from the machine, as is commonly thought. Under normal circumstances, the data gradually decays over a period of several seconds to a minute. The process can be slowed considerably using simple techniques to cool the chips to low temperatures.
Disk encryption technologies rely on the use of secret keys – essentially large random numbers – to encode and protect information. Computers typically store the keys in the temporary RAM so that protected information can be accessed regularly. The keys are meant to disappear as soon as the RAM chips lose power.
But the team wrote programs that gained access to essential encryption information automatically after cutting power to machines and rebooting them. The attack even worked when the encryption key had already started to decay, because the researchers were able to reconstruct it from multiple derivative keys that were also stored in memory.
The attacks demonstrate the vulnerability of machines when they are in an active state, including ‘sleep mode’ or the ‘screen lock’ mode that laptops enter when their covers are shut. Even though the machines require a password to unlock the screen, the encryption keys are already located in the RAM, which provides an opportunity for attackers with malicious intent.
The researchers were also able to extend the life of the information in RAM by cooling it using readily available ‘canned air’ keyboard dusting products. When turned upside down, these canisters spray very cold liquid. Discharging the cold liquid onto a memory chip, the researchers were able to lower the temperature of the memory to -50 degrees Celsius. This slowed the decay rates enough that an attacker who cut power for 10 minutes would still be able to recover 99.9 per cent of the information in the RAM.
Now, the researchers have contacted several manufacturers to make them aware of the vulnerability: Microsoft, which includes BitLocker in some versions of Windows Vista; Apple, which created FileVault; and the makers of dm-crypt and TrueCrypt, which are open-source products for Windows and Linux platforms.