Computer security experts have failed to close a loophole that allows an attacker to easily download cryptographic keys from an encrypted computer.
Of the many different ways of attacking computer content, one of the more interesting is the cold boot attack. This came to light in 2008 when a group of researchers at Princeton University announced that they had discovered an entirely new way to beat disk encryption, the standard mechanism for protecting sensitive data on laptops, smartphones, netbooks, PCs and Macs.
Today, Jos Wetzels at the University of Technology in Eindhoven, the Netherlands, outlines the technique and discusses the various options for preventing this kind of attack. His sobering conclusion is that despite the time since cold boot attacks were first discovered, this form of attack still represents a clear and present danger.
The cold boot attack is possible because of a little-known property of the random access memories used in computers to store and read data quickly. Random access memory is volatile meaning that it has to be constantly rewritten over periods measured in milliseconds. This property means that anything stored in random access memory is temporary – when the machine switched off and the memory loses power, the date is soon lost.
At least that’s what everyone thought. In 2008, the Princeton group showed that data stored in the random access memory turns out to be preserved over a period of many seconds after it loses power. What is more, cooling the memory can extend this period to many minutes and possibly hours. (One way to cool random access memory is to spray it with an upside down can of liquid air, which releases cold liquid rather than gas.)
During this short period after power is lost, any information in the random access memory is there for the taking. And this is exactly how the cold boot attack works.
The idea is to cut the power to the device and then immediately reboot it to a USB flash drive so that the operating system does not immediately overwrite the contents of the random access memory. Next, search the random access memory for sensitive material, download it and be gone.
And that’s it. Clearly, the attacker has to have access to the computer in question. But the entire process can be over very quickly.
Cold boot attacks are particularly designed to extract information when the content is stored on disk in encrypted form. Most encryption systems handle this by storing the encryption key in the random access memory so it is quickly available when needed. But that means they key can be read off the in a cold boot attack.
Having extracted the contents of the memory, the attacker still has to find the key, which is not always entirely straightforward. One way to do it is by brute force — testing every possible byte sequence as a potential key. But that is time-consuming and inefficient. Another way is to look for the metadata associated with keys such as the ASN.1 prefixes used with RSA keys.
Yet another possibility is to look for the mathematical properties of the keys, such as their high entropy. But this can produce a high number of false positives.
Probably the best way to extract the keys is to use all these techniques and any others that are available.
Security experts have successfully used cold boot attacks to defeat disk encryption on a wide variety of computers. They have used it to attack BitLocker which comes with Windows Vista, FileVault, which comes with Mac OS X and dm– crypt it is used with Linux. They have also used it on various Android smart phones with encrypted data.
So what can be done to protect against cold boot attacks? Wetzels says there are several options with varying degrees of effectiveness.
One obvious approach is to not store cryptographic keys in random access memory for longer than necessary. This requires software that removes the key when it has been used and overwrites that section of the memory. One example is an application called Deadbolt for Android smart phones, which securely overwrites any key stored in the memory as soon as the smart phone screen locked.
Another particularly promising approach is to store any sensitive keys outside of random access memory. “One proposed category of solutions consists of kernel modifications which store sensitive cryptographic key material securely outside RAM in such a way that they aren’t easily accessed by applications running with regular privileges and are lost as soon as the computer restarts,” says Wetzel.
It also possible to get hardware that is not susceptible to cold boot attacks. For example, it is possible to encrypt information stored in a random access memory and decrypt it when it is used.
Another option is to use discs that have their own cryptographic chip that decrypts data when needed. In this way, the key is never stored in the random access memory or used by the system CPU.
Of course, the security of these systems depends on ensuring that any key they rely on is erased whenever the power is lost.
None of these are perfect, of course, and Wetzel’s conclusion is that cold boot attacks “are a viable and realistic vector for an attacker seeking to extract sensitive information contained in–memory.”
You have been warned!
Ref: arxiv.org/abs/1408.0725 : Hidden In Snow, Revealed In Thaw: Cold Boot Attacks Revisited
© 2014 MIT Technology Review