RFC: Flaw in BitLocker, Apple's FileVault, TrueCrypt, and dm-crypt

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View


SAN FRANCISCO (AFP)  Researchers said Friday they found a way to sidestep
encryption technology commonly used to protect sensitive data in computers.

A "major security flaw" in several types of popular encryption software
exposes supposedly safeguarded information, provided a savvy data thief can
get hold of the machines, according to the Electronic Frontier Foundation.

"People trust encryption to protect sensitive data when their computer is
out of their immediate control," said EFF staff technologist Seth Schoen, a
member of the research team.

"Whether your laptop is stolen, or you simply lose track of it for a few
minutes at airport security, the information inside can still be read by a
clever attacker."

Researchers claim they cracked an array of commonly-used encryption
programs, including Microsoft's BitLocker, Apple's FileVault, TrueCrypt, and

In a paper published on the Internet, researchers show that data is
vulnerable because encryption keys and passwords linger in the temporary
memory of computers after machines lose power.

"We discovered that on most computers, even without power applied for
several seconds, data stored in RAM seemed to remain when power was
reapplied," said research team member Jacob Appelbaum, an independent
security specialist.

"We then wrote programs to collect the contents of memory after the
computers were rebooted."

Laptops are especially vulnerable to the attack when the machines are in
lock, sleep, or hibernation modes, according to the report.

"We've broken disk encryption products in exactly the case when they seem to
be most important these days: laptops that contain sensitive corporate data
or personal information about business customers," said Princeton University
computer science doctoral student J. Alex Halderman.

"This isn't a minor flaw; it is a fundamental limitation in the way these
systems were designed."

Researchers say the attack technique is likely to be effective against many
other computer disk encryption systems because of structural similarities.

Turning laptops off completely helps guard against intrusion, but doesn't
work in all cases, according to the report.

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Re: RFC: Flaw in BitLocker, Apple's FileVault, TrueCrypt, and dm-crypt

David H. Lipman wrote:

Quoted text here. Click to load it

I found a really bigger vulnerability: The keys are in memory while the
computer is still powered on. One could simply connect some hardware to the
memory bugs and read it out directly...
Or could could attach a key logger and wait until the user enters the

Quoted text here. Click to load it

Only applies to hardware reboots. If the computer is properly shut down, the
software simply zeros out the key in memory.

Quoted text here. Click to load it

Hibernate? The hibernate file is stored on the encrypted disc...

Quoted text here. Click to load it

No, it's a well known intangible limit known since at least 40 years:
Software cannot defend against an attacker which has physical access to the

Re: RFC: Flaw in BitLocker, Apple's FileVault, TrueCrypt, and dm-crypt

Quoted text here. Click to load it

The "some hardware" is already installed on many computers: Firewire.  If
Firewire is enabled, the computer is on (even with keyboard locked, etc.),
and I have a few minutes access, I'm in.  I can read/write all RAM - I own
the machine. It's known as the iPod/Firewire attack (for reasons I will be
happy to explain).  See, for instance:

Yes, even for Windows XP (I just have to mess a little with OHCI CSRs).  I


Site Timeline