Blast of cold air can open computer to hackers

New research shows how easily an encrypted hard drive can be defeated


Want to break into a computer's encrypted hard drive? Just blast the machine's memory chip with a burst of cold air.

That's the conclusion of new research out of Princeton University
demonstrating a novel, low-tech way hackers can access even the most
well-protected computers, provided they have physical access to the
machines.
The
Princeton report shows how encryption, long considered a vital shield
against hacker attacks, can be defeated by manipulating the way memory
chips work. The researchers say the ease of their attack raises fears
about the security of laptop computers increasingly used to store
sensitive information, from personal banking data, to company trade
secrets, to national security documents.
Freezing a dynamic random access memory, or
DRAM, chip, the most common type of memory chip in personal computers,
causes it to retain data for minutes or even hours after the machine
loses power, the report found. That data includes the keys to unlock
encryption. Without freezing, the chip loses its contents within
seconds.

Hackers
can steal information stored in memory by rebooting the compromised
machine with a simple program designed to copy the memory contents —
before the computer has a chance to purge sensitive data, according to
the study.
Laptops left in hibernation or sleep mode, or simply not turned off at all, are the most vulnerable to the new type of attack.
"These
risks imply that disk encryption on laptops may do less good than
widely believed," according to the report, which was published this
week by researchers from Princeton, the Electronic Frontier Foundation
digital rights group, and Wind River Systems software company.
"Ultimately, it might become necessary to treat DRAM as untrusted, and
to avoid storing sensitive confidential data there, but this will not
be feasible until architectures are changed to give software a safe
place to keep its keys."
Researchers
have known since the 1970s that cooled DRAM chips can retain their
contents long after power to them is extinguished, but the researchers
said they believe their study is the first security paper to focus on
the phenomenon. National security agencies may also have been aware
that the types of breaches outlined in the study are possible, the
researchers said, but added they weren't able to find evidence of that
in any publications.
The

attacks were carried out by spraying an upside-down canister of
multipurpose duster spray directly onto the memory chips, freezing them
to minus 50 degrees Celsius (about minus 60 Fahrenheit.)
One
challenge faced by the researchers was the threat that booting the
system will automatically overwrite some parts of the memory. To make
sure the contents were retained, they used small, special-purpose
programs known as memory-imaging tools, which can be loaded over a
network connection or a USB device, to save images captured from the
memory chip. The attacks even work when the DRAM chip is removed and
transferred to a machine set up by the hacker.
Special programs were then used to correct errors in the recovered memory contents and reconstruct the keys used for encryption.
The
researchers said their results suggest that "this faith in the strength
of disk encryption may be misplaced," arguing that a moderately skilled
attacker can bypass many widely used encryption products — including
BitLocker, included with some versions of Windows Vista; Apple's
FileVault; open-source TrueCrypt; and dm-crypt — if a laptop is stolen
while it is powered on or suspended.
"The
use of encryption is not, by itself, necessarily an adequate defense,
and data in stolen laptops may be compromised even when encryption is
used," the researchers said.