These researchers have discovered a way to steal the hard drive encryption key used by products such as BitLocker for Windows Vista or Apple’s FileVault. With this key, hackers can access all the information stored on the encrypted hard drive.
This is due to a physical property of computer memory chips. The data from the DRAM processors (dynamic RAM) disappears when the computer is turned off, but it has been found that this action is not immediate, as indicated by Alex Halderman. In fact, it may take several minutes for the data to disappear completely, thus allowing hackers to capture the encryption keys.
For such an attack to be possible, the computer must first be running in sleep mode. It cannot work against a computer that has been shut down for a few minutes since the data in the DRAM will have already disappeared.
The attacker simply unplugs the computer for a second or two, then reboots the system from a portable hard drive that includes software capable of examining the contents of memory chips. This provides the attacker with a way to bypass the protection of the operating system responsible for keeping encryption keys hidden in memory.
Some computers erase memory during the boot process, but even such systems are vulnerable, as Halderman points out. Researchers have found that cooling memory chips by blowing compressed air over them can lower the rate at which memory is erased. By cooling the memory chips to around minus 58 degrees, researchers have the time to shut down the computer and install the memory in another PC that can boot without erasing the information.
Led by Princeton University, the team includes researchers from the Electronic Frontier Foundation and Wind River Systems.
Hard drive manufacturers Seagate and Hitachi offer hardware encryption capabilities on their hard drives, although these options add additional cost to the price of the product.
