Princeton study: Disk encryption not safe
Researchers with Princeton University and the Electronic Frontier Foundation have found a flaw that renders disk encryption systems useless if an intruder has physical access to your computer — say in the case of a stolen laptop or when a computer is left unattended on a desktop in sleep mode or while displaying a password prompt screen. The attack takes only a few minutes to conduct and uses the disk encryption key that’s stored in the computer’s RAM. The attack works because content as well as encryption keys stored in RAM linger in the system, even after the machine is powered off, enabling an attacker to use the key to collect any content still in RAM after reapplying power to the machine.
“We’ve broken disk encryption products in exactly the case when they seem to be most important these days: laptops that contain sensitive corporate data or personal information about business customers,” said J. Alex Halderman, one of the researchers, in a press release. “Unlike many security problems, this isn’t a minor flaw; it is a fundamental limitation in the way these systems were designed.” The researchers successfully performed the attack on several disk encryption systems — Apple’s FileVault, Microsoft’s BitLocker, as well as TrueCrypt and dm-crypt — but said they have no reason to believe it won’t work on other disk encryption systems as well, since they all share similar architectures. They released a paper about their work as well as a video demonstration (available at YouTube) of the attack.
Source: Wired
i finally understood it with the help of the youtube video
Well that’s messed up, because I recently got paid to set up an encryption system for a network of PC’s owned by a criminal!
“The attack works because content as well as encryption keys stored in RAM linger in the system, even after the machine is powered off,”… A quick check in the swapfile? If thats the case, old news.
Change ClearPageFileAtShutdow to 1 in registry should work.
@3
No, not the swapfile (which itself would be encrypted!) but the RAM itself. Watch the vid.
Well I never knew you could freeze ram like that, if thats what they’re doing, also never knew stuff lasted that long without freezing.
may be a stupid question but would this also work on hardware encrypted drives. Like the seagate FDE drive
MacBook Air is safe from the Princeton attack: http://radian.org/notebook/fashionable-crypto
HA! Take that PC lovers!
lol OMG they r going 2 get a password 2 a porn site and myspace and aim omfg i will not be able 2 live after this
zookeeper you petty soul, you’re obviously not a target for this kind of technique, as your life holds no importance to anyone.
@hirmu
if you actually read that page it says “highly-resistant to the troublesome Princeton attack.”. It does not say it is immune to it… just highly resistant to it.
Also, the airbook isn’t that powerful for the needs of most, so anybody needing real encryption wouldn’t be using it in the first place lol.
There is a reason why clandestine organizations don’t use Macs. Get with the program. However they are nice for just surfing the net and other simpler tasks.
Way to go Martin, first causing FUD about bogus ISP filtering laws and now this. If you weren’t a freakin’ 15 year old who grew up with consoles instead of real computers you would have known that data remaining in memory long after a system was shut down is nothing new and has been known for decades.
Move along people, nothing to see here.
I guess it will take some time till mom figures out how it works. So my p0rn is still save
Lets investigate 3 possible ways this might happen.
1. Left powered off on a table and then stolen.
2. Left power on or in sleep mode on a table and then stolen.
3. Ripped from your hands on the street.
1. They have 2 minutes TOPS to observe the owner walking away and then to run that thing somewhere to get your data. Most likely don’t have time. Most laptops run so enormously hot, you actually have 50 seconds or so.
2. You deserve to lose data.
3. Robber has 2 minutes TOPS to recover data. Most laptops run so enormously hot, you actually have 50 seconds or so.
This is the most obscure security warning I ever heard. I do not feel any less safe knowing this information. In fact, it borders on miss-information. Yes it’s true RAM may still hold remnants of data after power off, but in the real world, the laptop would run hot, causing the data to last merely seconds. So in essence, data is lost when powering off, period. The university folks were able to only pull this off in ideal conditions. i.e. computer was powered off in front of the “attacker”.
Sounds way more serious then it should i think. The (nice) youtube video explains clearly that the memory fades within roughly 2 minutes (which “FUDLOG.NET” calls a long time :)) after shutoff, which is save enough for me.
If your data is that important that someone would jump your computer right after you look away then:
1. Always use shutoff, never sleepmode or standby.
2. Get some program that wipes your memory. (I guess that would require a restart of the computer!?)
Don’t forget that Vista uses hibernation & standby as preferred states to powering off, and these functions are used even more so on laptops than desktops.
@14 2 minutes is not safe, because attacker can power on the computer, power off, copy ram, find key
If you shutdown propelly truecrypt and possibly other programs will wipe the key in memory. this attack is based on getting on or sleep mode computer and interupting power and quick look on ram.
From the TrueCrypt documentation, section Unencrypted Data in RAM (chapter Security Precautions):
——————————————————————————–
Unencrypted Data in RAM
It is important to note that TrueCrypt is disk encryption software, which encrypts only disks, not RAM (memory).
Keep in mind that most programs do not clear the memory area (buffers) in which they store unencrypted (portions of) files they load from a TrueCrypt volume. This means that after you exit such a program, unencrypted data it worked with may remain in memory (RAM) until the computer is turned off (and, according to some researchers, even for some time after the power is turned off). Also note that if you open a file stored on a TrueCrypt volume, for example, in a text editor and then force dismount on the TrueCrypt volume, then the file will remain unencrypted in the area of memory (RAM) used by (allocated to) the text editor. This applies to forced auto-dismount as well.
Inherently, unencrypted master keys have to be stored in RAM as well. When a TrueCrypt volume is dismounted, TrueCrypt erases its master keys (stored in RAM). When the computer is cleanly restarted, all TrueCrypt volumes are automatically dismounted (thus, all master keys stored in RAM are erased by the TrueCrypt driver). However, when the computer is reset (not cleanly restarted), when the system crashes, or when power supply is abruptly interrupted, the TrueCrypt driver stops running and therefore cannot erase any keys.
no real big surprise here. even military class encryption is vulnerable, so what can you expect from a comercial version of encryption.
there are already solutions to decrypt entire hdd. and you do not need the ram, you are not under the pressure of time.
nothing is safe. anyway the most unsafe compenent of a system is the human one.
this wouldn’t work on hardware implementations of disk encryption
A2DAK, the key for the encryption has to be stored anywhere, or no encryption can happen. And if it is stored, it can be read. To be safe, always turn the device of.
it’l’ be a very nice product
gyfjkgfhmjh
gyjhfg
hjhjfgjfgjhfgjh yhj gjjfj fgj fg j
If you watch the Video then READ about it, it explains that, in the case of “truecrypt”, you follow the INSTRUCTIONs and shutdown cleanly then it NOT a feasable attack…
read “SAS” comment then go look at the truecrypt forums.
the answer is 6
UPDATE:
If you don’t see any copies of the pattern, possible explanations include (1) you have ECC (error-correcting) RAM, which the BIOS clears at boot; (2) your BIOS clears RAM at boot for another reason (try disabling the memory test or enabling “Quick Boot” mode); (3) your RAM’s retention time is too short to be noticeable at normal temperatures. In any case, your computer might still be vulnerable — an attacker could cool the RAM so that the data takes longer to decay and/or transfer the memory modules to a computer that doesn’t clear RAM at boot and read them there.
link : http://citp.princeton.edu/memory/exp/
truecrypt FTW, it does wat it says. more than enough security for a lot of people. and if there is information which is THAT THAT important, dont freakin carry it around in ur damn laptop.
did they tried this on SECUSTAR products??? its the best disk encryption soft… no shts like truecrypt or other
NO Harddisk anymore Flashmemory is the future
someone who has sensitive data should not be walking down the street with a laptop turned on. This person needs to find a secure location to access from and never leave the laptop even for a minute. Similarly, you could find out their passwords with keyloggers (unless they are using keyfiles) but then what kind of person savvy enough to set up encryption would not know how to run an AV and firewall and not d/l pr0n exe’s?
This is a wake up call not to be too overconfident in encryption systems. Amen to that. I keep my truecrypt partition on a usb key and find that the fact that it is not always attached makes it more secure.
cheers
no sh*t sherlock
Some1 could break into a datacenter and actualy steal infromation using this methode.
Normaly even if you manage to break in into a datacenter and steal a hard disk. You still have nothing. But using this methode you are able to get the key without any problem. Normaly a secure server is completly locked out even when you have direct acces. Bios is locked out and hard disks are encrypted. On a very secure server this would be a easy way to get the information.
@7 that article is wrong. Whilst having the ram soldered onto the mobo makes it virtually impossible to use the attack by removing the ram, it has no protection against booting off an external HDD (If the mac air supports that? Don’t know!) and stealing the data from Ram that way. Requires more time, but is no more secure that the solution being mooted on the truecrypt forums (namely gluing your ram in place [using a glue that can be removed of course, but as long as you pick one that requires heat and to remove it you'd be just as secure!])
@29 it will most probably work. This is not a flaw in the way any encryption software works (With the possible exception of bitlocker which is apparently extra vulnerable) but is rather a problem with the way the hardware the system is built on runs.
@31 Damn straight. If you are *that* worried about someone using this attack on you, you should have far superior protection methods than just encryption!
how did they dump the RAM to the hard disk?
“whats the name of the program” and how do you dump the memory under windows, if its not log out? (freeware,not winhex by x-ways)
And if criminal does steel your laptop/PC and finds it encrypted or password protect , in most cases they format the hard drive and try to sale it as fast as possible.