Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bootkit Bypasses TrueCrypt Encryption

Posted by timothy on from the war-of-attrition dept.

mattOzan writes with this excerpt from H-online: "At Black Hat USA 2009, Austrian IT security specialist Peter Kleissner presented a bootkit called Stoned which is capable of bypassing the TrueCrypt partition and system encryption. The bootkit uses a 'double forward' to redirect I/O interrupt 13h, which allows it to insert itself between the Windows calls and TrueCrypt."

2 of 192 comments (clear)

  1. Re:Do I need to prepare? by Wrath0fb0b · · Score: 5, Informative

    If you care about the privacy of your information then your PC had better be secured at least as well as you would secure your other valuables. If someone can gain physical access to your machine then it's effectively game over.

    But that's the entire point of System Encryption right there! Someone gains physical access to your machine and they still can't do squat to read the contents (short of beating you with a hose to get the password or spending serious supercomputer time). System Encryption was designed for precisely this application.

    This nice little trick here gives them a third option -- install malware at the BIOS level while leaving TrueCrypt unchanged so as to give you the illusion of safety while they read your mail/keystrokes/whatever. If I were the Border Patrol, I would consider a tool that automates the installation of this tool to be a very worthy investment.

    In short, he's exploiting the fact that encryption and authentication are two very different things. TrueCrypt can assure you that you data are unreadable without the key but cannot authenticate the MBR as being genuine. For that, you need some form of trusted computing, the mention of which never goes well.

  2. Re:Much as we hate TPM here on /. by Wrath0fb0b · · Score: 5, Informative

    http://lwn.net/Articles/144681/

    Linux has had kernel level support for TPM for a while but most F/OSS developers have an intrinsic aversion to the concept (as I said in the GP, the identity of the TPM principals doesn't exactly give me a lot of confidence) so it's not widely used as far as I can tell.

    A wonderful response from the F/OSS community would be to build a version of TrueCrypt that uses TPM to authenticate the BIOS and MBR against the known good versions.