Lest We Remember: Cold Boot Attacks on Encryption Keys.

February 22, 2008


Wow. This is amazing and scary at the same time. Basically, some researchers figured out that in order to bypass harddrive encryption when you have physical control over the device, you can read the contents of the RAM chips to obtain the encryption key. This is not an attack on the encryption itself. It's like finding the key to the super-secure door under the welcome mat. Even if power is cut from the device, data stays in RAM for a certain amount of time (this time can be expanded by freezing the chips with a bottle of canned air). Booting the device to a special tool allows for the memory to be copied and analyzed. They can even remove the ram chip and put it in another laptop for analysis. The only secure way to protect yourself is to power the laptop down completely and guard it for a few minutes for the memory to finally clear.

Be sure to spend the 5 minutes watching the video in the article.

What's even more interesting is that most folks transport their laptops in a power saving mode, such as in standby or hibernation. Even I carry my laptop around in standby. All it takes is for someone to steal the laptop and the encryption won't matter.

This just proves that carrying information around is not safe. The approach I've been trying to take with my users is to give up the fat client laptops for a thin client laptop approach, such as offerings from Neoware or HP. The idea is to leave all information on the corporate network and require my traveling users to log in via secure VPN and RDP directly to their desktops. On top of not storing information, the thin clients are sturdy, don't have moving parts, run our VPN software just fine, easy to replace (no user specific information to transfer to another laptop), and are fairly cheap (approx a third of the cost of a regular laptop). I usually just keep a couple laying around for loaners; so if someone who doesn't travel much can check one out and I don't have to set up anything on it for them, only have to enable RDP on their desktops.