February 21, 2008

DRAM like an elephant: breaking disk encryption

FileVault, BitLocker and TrueCrypt are widely used disk encryption technologies: we used to think about them as "rather secure" solutions, since once the computer is turned off the whole disk is encrypted and there is no way to get it back (yet).

We have even seen some esoterical devices meant to let you grab a pc without having to turn it off and thus firing disk encryption, but now the attack is on a whole new level.

It seems researcher at Princeton have succesfully retrieved the content of common DRAMs seconds to minute after the computer was turned off. No, it seems that the Gutmann's effect is not involved at all.
They have built a single purpose operating system meant to be able to collect data from ram looking for disk encryption keys, and have demonstrated they can break the encryption. Actually, once you have access to RAM there are a lot of interesting things to be found, including passwords, usernames and so on.

While the attack is actually very difficult to execute - since the attacker would need physical access to the machine seconds after it was turned off or throw it into the fridge - it is nevertheless very interesting.

More informations can be found at the Lest We Remember website.