Researchers defeat hard drive encryption using canned air

February 24, 2008

A group led by a Princeton University computer security researcher has developed a simple method to steal encrypted information stored on computer hard disks. The technique involves chilling a computer memory chip with a blast of frigid air from a common can of compressed air (used upside down) so as to have sufficient time to read the cryptographic keys from memory.1

This is made possible due to the physical property of computer memory chips. Data stored in DRAM (dynamic RAM) is volatile and disappears when the computer is turned off, but it turns out that this does not occur right away, according to Alex Halderman, a Princeton graduate student who worked on the paper.2 Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures or if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images.3

Because it can a few minutes before that data disappears, this gives hackers an opportunity to sniff out encryption keys. Attackers can turn off power to the PC, quickly reboot and run an analytic algorithm to recover the encryption key.4 But for the attack to work, the computer would have to first be running or in standby mode. It would not work against a computer that had been shut off for a few minutes because the data in DRAM would have disappeared by then.2 And obviously, physical access to the computer is also required.

Some computers wipe the memory when they boot up, but even these systems can be vulnerable. Researchers found that if they cooled down the memory chips by spraying canned air on them, they could slow down the rate at which memory disappeared. Cooling chips down to about -50 degrees Celsius gave researchers time to power down the computer and then install the memory in another PC that would boot without wiping out the data.2 Once that PC boots up in to a special operating system designed for RAM forensics, it is possible to dump the raw contents of memory on to storage. Even if parts of the key were lost due to power-loss decay, a simply exhaustive search should be able to recreate the key. But by freezing the memory, it's unlikely that much data would be lost in the first place.5 "By cooling the chips, we were able to recover data perfectly after 10 minutes or more," Halderman said.2 The researchers also discovered that with sufficient cooling, data may remain recoverable for hours or days.

(To those scratching their heads wondering how a can of compressed air can freeze anything: By holding such a can upside down, the contents are expelled as a liquid. As the liquid quickly evaporates into a gas, due to the laws of physics it becomes very cold, easily causing frostbite. A video of this effect can be seen on YouTube here).

The researchers were able to use this technique against Windows, Macintosh, and Linux operating systems. Apple has had a FileVault disk encryption feature as an option in its OS X operating system since 2003. Microsoft added file encryption last year with BitLocker features in Windows Vista. The programs both use the federal government's certified Advanced Encryption System (AES) algorithm to scramble data as it is read from and written to a computer hard disk. But both programs leave the keys in computer memory in an unencrypted form.1

Other types of software may be similarly vulnerable to this type of attack. Digital Rights Management (DRM) systems often rely on symmetric keys stored in memory, which may be recoverable using these techniques. The researchers have shown that SSLenabled web servers are vulnerable, since they often keep in memory private keys needed to establish SSL sessions.3

Ultimately, it might become necessary to treat DRAM as untrusted, and to avoid storing sensitive confidential data there, but this will not be feasible until architectures are changed to give software a safe place to keep its keys.3

Austin Wilson, director of Windows product management security at Microsoft, said the company recommended that BitLocker be used in some cases with additional hardware security. That might include either a special USB. hardware key, or a secure identification card that generates an additional key string. The Princeton researchers acknowledged that in these advanced modes, BitLocker encrypted data could not be accessed using the vulnerability they discovered. An Apple spokeswoman said that the security of the FileVault system could also be enhanced by using a secure card to add to the strength of the key.1

1. "Researchers Find Way to Steal Encrypted Data", The New York Times, February 22, 2008

2. "Researchers find hard drive encryption's Achilles' heel", Computerworld, February 22, 2008

3. "Lest We Remember: Cold Boot Attacks on Encryption Keys", J. Alex Halderman et al., Princeton University, February 21, 2008

4. "Cleaning spray defeats disk encryption", PC Pro, February 22, 2008

5. "Cryogenically frozen RAM bypasses all disk encryption methods", ZDNET, February 21, 2008