Study: Data Encryption Leaves Sleeping Computers Vulnerable

disk encryption

In a paper published Thursday, researchers illustrated how to access a computer's memory and scan the secret encryption keys used to scramble files.

The report, titled "Lest We Remember: Cold Boot Attacks on Encryption Keys," was published by San Francisco Bay Area researchers Seth D. Schoen and William Paul and a team of Princeton researchers that include J. Alex Halderman, Nadia Heninger, William Clarkson, Joseph Calandrino, Ariel Feldman, Jacob Appelbaum and Edward Felten.

Memory modules can retain data for seconds to minutes, which can allow retrieval of cryptographic keys, even when removed from the motherboard. Software encryption products scramble data on a protected drive, but store the keys in memory when the computer is running in order to encrypt the information. Likewise, when a machine is put to sleep, the encryption keys are stored in the memory file.

However, according to the report, problems occur due to the fact that the RAM chips in laptops aren't cleared of data when the machine is turned off -- rather it takes seconds or minutes for the memory to clear.

Sponsored post

The findings describe how users can gain access to supposedly protected information by getting a hold of a computer while it is in sleep mode or waiting for a pasword prompt. An attacker could access contents of a computer's RAM by simply booting a laptop over a network or from a USB drive, and then scanning for encryption keys. The research continues to delineate how hackers could scan encryption keys.

The new research could carry with it significant implications for the future of encryption technology. At the outset, the research carries the potential to undermine user confidence in data encryption when laptops or other mobile devices are lost or stolen, experts say.

Another big takeaway is that sleeping laptops could be vulnerable to exploitation, even when storing encrypted data. Currently, in order for an encrypted file system to be completely protected, the researchers suggest that users shut down the computer completely, and wait for the RAM contents to vanish.

Researchers at the SANS Institute said in a blog post that it could mean that the encryption keys in memory might not be able to be protected from the operating system. They also maintain that researchers might have to develop a new way to do forensics and extract memory images of corrupted systems more reliably.

Other security experts say that the future of data encryption lies not in software but in hardware. "The point is that you're seeing the first real published vulnerabilities in software security," said Steven Sprague, CEO of Wave Systems. "The real call to action is anyone buying a PC should be asking for encryption capabilities in the hard drive."

Security experts maintain that hardware encryption eliminates the threat of hacking due to the fact that none of the keys are everused outside of the chip in the hard drive. The only way to steal the encryption would be to take or physically break the silicon chip.

"It's all going to be in hardware. It adds minimal cost to the drive, there's no peformance impact, and it's secure. There's no reason why it souldn't exist on every purchaser's machine," Sprague added. "When you turn your computer power on, you wake it up from sleep, the drive needs to have a password provided before a single bit comes off the hard drive."

The findings also have significant ramifications in terms of compliance and compliance-related issues, Sprague said. Legislation in numerous states, including California, requires that public companies disclose data breaches to all affected individuals, unless it can be proven that the data on the system was encrypted. Data protection might be easier to prove if the critical information was stored with encryption hardware, thus eliminating the possibility of embarrassing public disclosure if the data was somehow exposed.

Experts say that the real question in determining data breach compliance won't be "was the data encrypted?" but "how long ago was the laptop turned off?" and "Was the laptop turned off or just asleep?"

"The more vulnerabilities that are published on software, the harder and harder it will be to prove that software was sufficient," said Sprague. "We know the solution to this problem. In some aspects, this is not a surprise."