Canned air can unlock File Vault

 

Gallery

Posted on 22 Feb 2008 at 12:12

Data on Mac hard drives that have been encrypted using OS X's File Vault feature may not be safe after all.

Researchers at Princeton University in the US have discovered that data stored in a computer's DRAM memory does on immediately disappear when the machine is switched off.

"Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn't so," says Ed Felten from the team of nine researchers. "Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system.

And that is where the canned air comes in.

"If you cool the DRAM chips, for example by spraying inverted cans of 'canned air' dusting spray on them, the chips will retain their contents for much longer. At these temperatures (around -50°C) you can remove the chips from the computer and let them sit on the table for ten minutes or more, without appreciable loss of data."

This is fatal for encryption systems, which store the master decryption keys in DRAM, safe in the assumption that they would be deleted when power to the machine is cut. That assumption is simply not true, Felten says.

"Our results show that an attacker can cut power to the computer, then power it back up and boot a malicious operating system (from, say, a thumb drive) that copies the contents of memory. Having done that, the attacker can search through the captured memory contents, find any crypto keys that might be there, and use them to start decrypting hard disk contents."

It is not just File Vault that is affected. The researchers tested Windows Vista and Linux encryption systems with the same result. And there does not appear to be a fix.

"Fundamentally, disk encryption programs now have nowhere safe to store their keys," Felten says.

Princeton University's Center for Information Technology Policy has more information, including a video a successful encryption key extraction.

Author: Simon Aughton