Disk encryption easily cracked, researchers find

The disk encryption technology used to secure the data in your Windows, Apple and Linux laptops can be easily circumvented, according to new research out of Princeton University.

Get Network World columnist Scott Bradner's take on this research.

The flaw in this approach, the researchers say, is that data previously thought to disappear immediately from dynamic RAM (DRAM) actually takes its time to dissolve, leaving the data on the computer vulnerable to thievery regardless of whether the laptop is on or off. That's because the disk encryption key, unlocked via a password when you log on to your computer, then is held in DRAM. If a thief can get a hold of the key, he can then get into the disk.

"We demonstrate our methods by using them to defeat three popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux," writes Ed Felten, a Princeton professor, on his blog, Freedom to Tinker.

The researchers, which also included participants from the Electronic Frontier Foundation and Wind River Systems, have created a captivating video demonstrating a process (one using a program dubbed "Bit-unLocker") that can be used to snatch the data. In the video, the narrator explains that it takes seconds for data to fade and that the process can be slowed by cooling the memory chips (they chill the memory chips to around -58 F with a liquid spray and remove them without affecting the contents). The chips can even be switched to a different computer to read them. Liquid nitrogen can be used to cool the chips for hours, the researchers say.

"This is deadly for disk encryption products because they rely on keeping master decryption keys in DRAM," Felten writes.

Felten adds that even using Trusted Computing hardware doesn't help.

(A presentation from a pair of security researchers scheduled for Black Hat USA last summer that promised to undermine chip-based desktop and laptop security was suddenly withdrawn without explanation. The briefing promised to show how computer security based on trusted platform module hardware could be circumvented.)

The Princeton findings prompted Steven Sprague, CEO of Wave Systems, which makes management software for hardware security devices, to point out that such attacks on laptops would be preventable via hardware-based encryption offerings.

"The advantage of hardware-based encryption is that all the encryption, key management and access control all happen inside the chip so there is no software risk to reverse engineer the encryption silicon," Sprague said. The encryption key never leaves the hardware-based encryption disk in this case, he said.

Members of the Dataloss@attrition.org mailing list, which daily documents data breaches, buzzed about the findings, with some suggesting the research shows the need for multifactor authentication or partial keys stored in separate places.

U.S. states have enacted a series of tough data disclosure laws over the past five years which force companies to notify residents whenever they lose sensitive information. Under these laws, a missing laptop can cost a company millions of dollars as well as public embarrassment as it is forced to track down and notify those whose data was lost.