Vulnerability of widely-used security systems’ memory exposed
Washington, February 22: A team of Princeton University students and experts from the computer industry has shown that it is still possible to access a piece of encrypted information even when it is stored in memory systems that are known to be “secure”, particularly in laptops.
Alex Halderman, a PhD candidate in the university’s Department of Computer Science, has revealed that the team has been successful in cracking several widely used technologies like Microsoft’s BitLocker, Apple’s FileVault and Linux’s dm-crypt.
The researchers believe that such attacks are likely to be effective in cracking many other disk encryption systems because these technologies have architectural features in common.
“We’ve broken disk encryption products in exactly the case when they seem to be most important these days: laptops that contain sensitive corporate data or personal information about business customers. Unlike many security problems, this isn’t a minor flaw; it is a fundamental limitation in the way these systems were designed,” Halderman said.
Such attacks are particularly effective against computers that are turned on but are locked, such as laptops that are in a “sleep” mode. Turning the computer off entirely may be one countermeasure, but even this does not provide complete protection in some cases.
Professor Edward Felten, the director of the university’s Center for Information Technology Policy, says that the findings demonstrate the risks associated with recent high-profile laptop thefts—a Veterans Administration computer containing information on 26 million veterans and a University of California, Berkeley laptop that contained information on more than 98,000 graduate students and others.
“Disk encryption is often recommended as a magic bullet against the loss of private data on laptops. Our results show that disk encryption provides less protection than previously thought. Even encrypted data can be vulnerable if an intruder gets access to the laptop,” Felten said.
Computer users usually think that information stored in the system’s temporary working memory (RAM) disappear immediately when the machine is shut off. But the researchers say that the data takes a period of several seconds to a minute to decay, which makes the system vulnerable to attacks.
The research team showed this by writing programs that gained access to essential encryption information automatically after cutting power to machines and rebooting them.
They say that the method worked when the attackers had physical access to the computer, and when they accessed it remotely over a computer network. The attack even worked when the encryption key had already started to decay, because the researchers were able to reconstruct it from multiple derivative keys that were also stored in memory.
According to the researchers, the attack was so powerful that they were able to obtain the correct encryption data even when the memory chip was physically removed from one computer, and placed in another machine. It could enable them to access all information on the original machine, they added.
“This method is extremely resistant to countermeasures that defensive programs on the original computer might try to take,” Halderman said.
The researchers were able to extend the life of the information in RAM by cooling it using readily available “canned air” keyboard dusting products. When they lowered the temperature of the memory to -50 degrees Celsius, it slowed the decay rates enough that an attacker who cut power for 10 minutes would still be able to recover 99.9 percent of the information in the RAM correctly.
Given the inherent vulnerability of the new technologies, Halderman said that they might need to be designed in such a manner that it does not require to store encryption keys in the RAM. (ANI)