Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cold Boot Attack Utilities Released At HOPE Conference

Posted by Soulskill on from the shining-a-spotlight dept.

An anonymous reader writes "Jacob Appelbaum, one of the security researchers who worked on the cold boot attacks to recover encryption keys from memory even after reboot, has announced the release of the complete source code for the utilities at The Last HOPE in New York City. The hope (obligatory pun) is that the release of these tools will help to improve awareness of this attack vector and enable the development of countermeasures and mitigation techniques in both software and hardware. The full research paper (PDF) is also available."

8 of 113 comments (clear)

  1. Yup by Anonymous Coward · · Score: 2, Interesting

    I was there in the room when they released this attack. It was really an interesting idea of taking the memory out before decay happens and putting into another box to read stuff off of it. Of Course Physical security of a machine will solve this problem but it is a very interesting attack.

    1. Re:Yup by Anonymous Coward · · Score: 1, Interesting

      With multicore processors, it might be feasible to keep the key in a CPU register and not in RAM at all times.

  2. There are some ways to minimize the problem by Psionicist · · Score: 5, Interesting

    The way I see this, you should simply not store keys in memory (that is have your encrypted file system mounted) when you not need access to the files. A correct program will overwrite the keys when the file system is dismounted.

    The purpose of full disk encryption (or system encryption in TrueCrypt is), in my opinion, not meant as a "one password to protect everything". It's just an extra measure to secure temporary files, the swap file and other tracks the OS and applications may spread around. You should still encrypt your really secret files separately, and use basic precautions such as secure file erasure when you've used them.

    That said, I still don't think this attack is so important. If you have the file system mounted, and an attacker gains access to your computer, the files are already there!

    1. Re:There are some ways to minimize the problem by Anonymous Coward · · Score: 3, Interesting

      The whole point of this is unclean shutdown. How is your computer going to overwrite the keys in memory when someone pulls the plug?

      Sometimes the mere presence of a file, encrypted or not, is "incriminating" enough. Ask Kevin Mitnick about NSA.TXT on a floppy he had - it was a listing of a host with the registered users at the National Computer Security Archive, and that got quickly spun to "having compromised the security of the NSA".

      Sometimes you want to hid the existence of information, not just the information.

  3. Re:Tamper proof case, anyone? by Sir_Lewk · · Score: 2, Interesting

    You can hardhack your way around any hardhack.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  4. Capturing machines with full disk encryption by Animats · · Score: 5, Interesting

    Here's the existing approach to this problem.

    1. Send in SWAT team. Stop user from turning off computer.
    2. Bring in HotPlug kit and UPS.
    3. Plug "Mouse Jiggler" into USB port to keep no-activity timeout from causing logout.
    4. Turn on UPS.
    5. Plug HotPlug unit into UPS.
    6. Plug HotPlug unit output plug (a male plug which is a power output) into power strip, or, if necessary, remove wall outlet plate and connect clamp-on connectors to hot wires.
    7. Unplug power strip from line power. HotPlug unit will switch in power from UPS.
    8. Plug power strip into UPS. HotPlug unit will recognize this and deenergize its output plug.
    9. Unplug HotPlug output plug and input plug. Computer is now running entirely on UPS.
    10. Carry computer and UPS to forensics lab before UPS battery runs down.
    11. Plug in UPS to keep battery charged.
    12. Access disk as desired.
  5. Re:Tamper proof case, anyone? by rwillard · · Score: 2, Interesting

    While it's true that you can bypass any hardhack security system, surprise can be a great asset. Most people, even Law Enforcement, aren't going to expect your computer to fry itself if opened, or whatever system you use. It's the kind of trick that will only work a few times, but a few times is probably enough.

    A lot of the new 'cool' law enforcement devices are USB, for easy access and easy reading of the computer. Imagine a computer that has three in-use USB ports and one open slot, and plugging a device into the open slot (or plugging a new device in by removing an existing one without disabling the security feature) would cause the computer to fry itself.

    Is it foolproof? No, but it'd be a start.

  6. Re:Memory wiper? by freddy_dreddy · · Score: 2, Interesting

    You can store the keys in video memory, you can't pull those out of a laptop. And yes, it's not only possible but also rather easy. Storing them in the lower part (first 64kb ?) which is used to display the "boot screen" will actually create an automatic sweep. Both backdoors locked.

    --
    "Violence is the last refuge of the competent, and, generally, the first refuge of the incompetent" - Thing_1