RAM exposes the key to your secret data

Posted by Wolfgang Gruener

Princeton (NJ) – Researchers from Princeton University are describing a new and apparently very effective security attack that will allow hackers to access encrypted data on your PC. Technologies such Microsoft’s BitLocker, Apple’s FileVault and Linux’s dm-crypt have no defense against this new attack.

A stolen laptop is a scary scenario for any road warrior, especially if you are carrying important information such as personal information of customers or trade secrets. The most effective method to keep critical data safe in the event a laptop is stolen or lost has been data encryption or even a hard drive that automatically encrypts data. As it turns out, that data may not be safe at all, according to a paper released by Princeton researchers today.

In a project that specifically examined the safety of encrypted data on a PC, they found that encrypted data can easily be accessed by obtaining the encryption key. That key is stored in a computer’s random access memory (RAM) as soon as a user has typed in his password.

While it is generally believed that data is lost as soon as the RAM loses its power, the researchers found that that contents stored in RAM do not disappear immediately when the power supply to the chip is removed – which typically is the case when a computer is turned off. Instead, data decays over time and can remain in the chip for a period of several seconds to up to a minute. This process can be “slowed considerably” if the chip is cooled, the researchers said. 99.9% of the RAM data was still available after 10 minutes when the chip was cooled down to -50 degrees Celsius.

These findings suggest that a security attack especially on notebooks can always be successful when a system is at least in a sleep mode. Only completely powered down systems apparently can withstand such an attack and provide the protection level promised by data encryption.

The researchers said they were able to write programs that gained access to essential encryption information automatically after cutting power to machines and rebooting them. The method worked when the attackers had physical access to the computer and when they accessed it remotely over a computer network. The attack even worked when the encryption key had already started to decay, because the researchers were able to reconstruct it from multiple derivative keys that were also stored in memory. The attack on RAM can be extremely effective as full data access was even achieved when the memory chip was physically removed from one computer and placed in another machine to retrieve the encryption key.

None of the attacks required specialized equipment. “I think we're going to see attackers doing things that people have previously though impractical or impossible,” said computer security researcher Jacob Appelbaum.

The researchers said they have contacted several manufacturers to make them aware of the vulnerability, including Microsoft, Apple as well as the makers of dm-crypt and TrueCrypt.  “There’s not much they can do at this point,” said Alex Halderman, a Ph.D. candidate in Princeton’s computer science department. “In the short term, they can warn their customers about the vulnerability and tell them to shut their computers down completely when traveling.”