News Toolkit breaks FileVault and BitLocker

http://www.bit-tech.net/news/2008/07/22/toolkit-breaks-filevault-and-bitlocker/1

A team at Princeton University has released the source for a toolkit designed to perform a 'cold boot' attack on BitLocker and FileVault volumes - allowing access to encrypted files.

 

I'm not sure how I feel about this. I mean, I don't care that the source code is released and obviously the exploit has been around since we last reported on it. The question is whether it's truly notable.

At some point, there's a hardware flaw and that can't be helped - we're talking about needing genuine local access to the machine, PLUS reboot ability, plus some type of bootable media ability. And all of this goes back to that encryption is as good as the user's technique in utilizing it, which should include unmounting encrypted drives when you're done using them (as Gareth mentions).

The only computers that have a lot to fear from this, then, are laptops which can be stolen before you've unmounted your secure partition. And in that case, were your data THAT sensitive, you could be using something like Seagate's Momentus FDE (full disk encryption) drive or the Silverstone encrypting enclosure. Neither of these should leave a key in your RAM.

So I guess it's good to point out the weakness, but it's important to realize that there's just no perfect system. A little common-sense from a user perspective turns this into a non-issue, and more of an academic finding as to the weakness of RAM technology.

 

I think the point is, for most people, BitLocker et al are fine, but if you are one of the countries top spies, you can choose different tools or modify your behaviour and you are still relatively safe.

Currently, I'm more concerned that the government give away my entire digital identity on weekly basis by posting CDs to strangers, than I am about a determined infiltrator gaining physical access to my encrypted PC.

 

I wonder if either of those guys has ever touched a girl.

 

does their mother count?

but seriously as mentioned before, you would have to have something really important for someone to bother going to these lengths to get the data. and if it was that important methinks you would use something other than bitlocker

 

http://citp.princeton.edu/pub/coldboot.pdf

full whitepaper on it...

and yea it worked to snag a truecrypt password.

 

this may not seem like a big deal for most people (and it isn't) but say you had a corporate/government environment and you wanted encryption keys for a project, which happen to be sitting on an somebody's computer. All you'd have to do is plug in, reboot the machine, grab the keys (assuming no bios password was set) and leave, letting the machine finish booting. Think about it... this could be done in a span of minutes, which is plenty of time if say the entire floor is out for lunch. Kinda scary stuff..

 

Yeah, real scary.

I knew it was possible but no pub tool was out for it, only papers.

 

Only works when the user doesn't expressly close the encrypted file/volume in true crypt.

When you close the volume, truecrypt overwrites any passwords & keys in memory.

They've already put a statement out to this effect in the last couple of weeks.

 

You are forgetting that you can encrypt a whole windows system partition with TrueCrypt.

P.S: I think Ubuntu fixed that bug as of 8.04. Not sure though.

 

one interesting thing is that if a PC is networked and you use the appropriate code, you can use the same trick but pull the right data from right over the network if a machine has wake on lan enabled (and that can be changed through other methods)


I've tried it in a lab setup here and it works, I was able to snag a friend's key from his laptop while he was connected to the network, and I was 3 buildings away.