While you were sleeping ... an attack on bitlocker etc

I'm always suspicious of people talking down security vulnerabilities, but I don't like to see them over-hyped  either; so I'm going down the former path. You are allowed to be skeptical.

A couple of people have mailed me this morning about this story, picked up by the register (a couple even forwarded me the Academic Paper. - SEND A LINK PEOPLE !)

RAM contents don't disappear instantly. If you get to a machine which is powered on including low power "sleep modes" and reboot it, there is a window during which you can mount an attack on the RAM contents. An attacker can can extend this Window by chilling the RAM.

As well as getting at documents I happen to be working on, by attacking the RAM one can also get to the keys used by different kinds of whole drive encryption software - including Bitlocker. These attacks can be prevented by

  1. Powering the machine off. Steve's been saying this for a while (though for other reasons)
  2. Turning on the BIOS configuration password to prevent the Boot order being changed.

One of the researchers put it like this "Let's say you're in a coffee shop and you leave your Vista notebook screen-locked and tied to a table while you take a trip to the bathroom". I leave my laptop tied to a table ? With no one watching it ? OK... The attacker has to boot from his device, discover my key, and then what ? Steal the laptop I guess. Or maybe set about decrypting it's contents. I'd need to be in the bathroom a long time.

The register explains that  With certain types of DRAM, a simple cold boot won't do the trick. Data fades too quickly after power down. All [attackers] have to do is open up the machine and spray a little liquid nitrogen.

I'm trying to work out how likely the average hacker is to carry a Thermos of Liquid nitrogen with them. Using security screws on the RAM compartment would mean they had to carry more tools - why not just carry a set of cutters to get past any tie, but the simpler way might to carry a knife and force me to give them the keys/passwords they need ? 

I know a few companies which use security screws to stop users swapping company parts out of their computers and using them in their home machines, and lock the bios setup to prevent users breaking things. Add those the the good practice list for machines that need to be secure. Group policy can be used to disable Sleep - I'd tend to keep it for power saving - but it can set "Closing lid" to force Hibernate when the lid is shut. Add that to the list of good practices as well.

Technorati Tags: Microsoft,Windows Vista,Windows Server 2008,Bitlocker,Hacking,princeton,EFF