Friday, February 22, 2008
Cold boot attacks against disk encryption
Everybody is talking about it. It's really a very nice piece of work.However, I noticed that almost nobody is talking about mitigation strategies. It's clear that the only way to "solve" the problem is to use a different hardware archtecture, something like "tamper proof" memory. However, there are thousands of organizations using disk encryption and they will ask us what they should do now. My tips:- Check if the software you are using have the proper controls over the encryption keys after the volumes are unmounted. The main options in the market will behave properly about it (erasing the keys from memory after using them), however, it's important to be sure about it.- Instruct users to avoid "sleep mode". Some computers have BIOS options to disable it too. This will reduce the exploitation window by reducing the time where keys are in memory and memory is powered. Remember, the data will last only some minutes after powering off.- Set up a BIOS password and configure your boot sequence to always start from the hard drive. I know that there still the option to remove the memory chips from the computer to read them elsewhere, but it's not as simple as connecting a external hard drive and rebooting.Â Alternatively, you can turn on the memory test of the POST sequence, it will erase memory content too.Besides that, it's important to mention that the probability of the attack still is not very high. The image of someone going into an office and doing all that procedure from the video is more like a "Mission: Impossible" shot to me. Of course, those with very valuable information (like Intelligence agencies) will have carefully to think about this issue.