Cryogenically frozen RAM bypasses all disk encryption methods
Summary: Computer encryption technologies have all relied on one key assumption that RAM (Random Access Memory) is volatile and that all content is lost when power is lost. That key assumption is now being fundamentally challenged with a can of compressed air and it’s enough to give every security professional heart burn. We all had [...]
Computer encryption technologies have all relied on one key assumption that RAM (Random Access Memory) is volatile and that all content is lost when power is lost. That key assumption is now being fundamentally challenged with a can of compressed air and it’s enough to give every security professional heart burn.
We all had some theoretical concerns, but surely it would be too difficult to transport hot memory from one computer to another to extract its contents right? That’s what we all thought until a group of researchers from Princeton Universityshowed that memory wasn’t as volatile as we had all assumed (see Techmeme). As a matter of fact, memory would hold its contents for a duration of seconds or even minutes with the power cut off. If that wasn’t long enough, a can of compressed air used upside down will cryogenically freeze memory and keep the data intact for several minutes to an hours. This means the ultrasensitive encryption keys used to protect data can be exposed in
Most of the time, the compressed air probably isn’t even necessary but it can offer a sure way to get the job done since the RAM can be safely moved to a different computer. Once that computer boots up in to a special OS designed for RAM forensics, it is possible to dump the raw contents of memory on to storage. Even if parts of the key were lost due to power-loss decay, a simply exhaustive search should be able to recreate the key. But by freezing the memory, it’s unlikely that much data would be lost in the first place.
This same attack works without the compressed air or RAM migration if the computer is configured for USB or LAN boot. You simply put in a USB dongle and boot off that dongle or you can boot off the network. Booting off the optical drive is probably just as easy and more likely to work. Then you can dump the RAW memory contents to the USB dongle or a network share. If the computer will only boot to the hard drive and the BIOS is locked from reconfiguration, then you might run in to some problems
Once the raw contents are saved to disk, forensics software can retrieve the keys from disk encryption systems such as Vista BitLocker, Apple FileVault, TrueCrypt, dm-crypt, and potentially a bunch of other data encryption solutions as well. Once is key is exposed, the hard drive might as well not be encrypted at all.
The challenge we are facing here is fundamentally difficult because the problem stems from a combination of hardware, software, and usability.
Computer encryption technologies have all relied on one key assumption that RAM (Random Access Memory) is volatile and that all content is lost when power is lost. That key assumption is now being fundamentally challenged with a can of compressed air and it’s enough to give every security professional heart burn.
We all had some theoretical concerns, but surely it would be too difficult to transport hot memory from one computer to another to extract its contents right? That’s what we all thought until a group of researchers from Princeton Universityshowed that memory wasn’t as volatile as we had all assumed (see Techmeme). As a matter of fact, memory would hold its contents for a duration of seconds or even minutes with the power cut off. If that wasn’t long enough, a can of compressed air used upside down will cryogenically freeze memory and keep the data intact for several minutes to an hours. This means the ultrasensitive encryption keys used to protect data can be exposed in
Most of the time, the compressed air probably isn’t even necessary but it can offer a sure way to get the job done since the RAM can be safely moved to a different computer. Once that computer boots up in to a special OS designed for RAM forensics, it is possible to dump the raw contents of memory on to storage. Even if parts of the key were lost due to power-loss decay, a simply exhaustive search should be able to recreate the key. But by freezing the memory, it’s unlikely that much data would be lost in the first place.
This same attack works without the compressed air or RAM migration if the computer is configured for USB or LAN boot. You simply put in a USB dongle and boot off that dongle or you can boot off the network. Booting off the optical drive is probably just as easy and more likely to work. Then you can dump the RAW memory contents to the USB dongle or a network share. If the computer will only boot to the hard drive and the BIOS is locked from reconfiguration, then you might run in to some problems
Once the raw contents are saved to disk, forensics software can retrieve the keys from disk encryption systems such as Vista BitLocker, Apple FileVault, TrueCrypt, dm-crypt, and potentially a bunch of other data encryption solutions as well. Once is key is exposed, the hard drive might as well not be encrypted at all.
The challenge we are facing here is fundamentally difficult because the problem stems from a combination of hardware, software, and usability.