Ed Felten Defeats Hard Drive Encryption

from the ed-felten-strikes-again dept

Ed Felten, and the various grad students who work for him at Princeton, have done plenty to contribute to the computer security field (and make quite a name for themselves), from breaking the old SDMI encryption that the recording industry insisted was unbeatable (which nearly got Felten sued) to showing just how vulnerable e-voting machines are. However, he may have just broken his biggest story yet. Felten and a group of colleagues have now shown that hard disk encryption is incredibly easy to beat. This should be a huge concern, considering how many people and organizations rely on data encryption to protect important data. In fact, with many of the “lost” hard drive stories over the past few years, many organizations have insisted the risk was minimal, since the data was all encrypted. Yet, as Felten’s team shows in this video below, not only is it quite easy to defeat the encryption using a simple can of compressed air, in some cases, there isn’t much that can be done to protect against this. As the video notes, this won’t work on some systems if the computer is turned completely off and the encryption package opens up before the operating system boots — but otherwise, most systems are vulnerable.

Basically, they’ve figured out that, despite what many believe, data held in RAM does not disappear immediately when the power is cut. And, if you freeze the chip, you can make the data last a very long time. This is important, because for disk encryption, the key to unlocking the data resides in the RAM. If someone can access that key in the RAM and make a copy of it, then they can unencrypt all of the data without knowing your password.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Ed Felten Defeats Hard Drive Encryption”

Subscribe: RSS Leave a comment
Charming Charlie says:

I know only a bit more about computer hardware than the normal person, but isn’t it quite possible to create a hardware solution to the slow powering off of RAM bits? As in, the OS shutdown initiates a power cut off to the circuits supplying power, so that they immediately 0 out? I’m imagining a capacitor or something that draws the power out of the RAM. Alternatively, couldn’t the OS just manually replace all the bits the OS itself isn’t using to kind of cover (mostly) it’s tracks during a shutdown? In the video, they didn’t show a technique which used a sleeping computer that didn’t involve temporarily powering it off.

This, combined with the password entry before the OS starts running, would cover all the bases, wouldn’t it?

Liquid says:

Re: Re: Re:

I agree with you on that Paul. Plus with a trojan it would most likely be picked up by virus software anyways… I think that if I had physical access to a computer like that I would just snag it and do it this way… if you think about it you wont leave tracks on the hard drive when you happen to “Find it”, and return it…

Jollygreengiant says:

Charlie, you could have lines that would short out the memory,and drain the charge but it would mean a complete redesign of memory systems, and would add quite a bit to shutdown/reboot times. Better maybe to have a routine that overwrites the data at shutdown.

All of which is a bit moot as the memory doesn’t even need to be in the original PC! A quick spray of liquid CO2 or N2, and just whip them out and into your own device which copies the content for later perusal…

Chronno S. Trigger says:

Re: Re:

I have an easier way to avoid this. Don’t leave your computer in standby and walk away. Always shut down the PC and wait 30sec before walking away. That way the memory chips have time to discharge. I don’t know if hibernate would open a risk since the data in the memory is written to the drive during shutdown.

matt says:

not what it seems

although they ar5e correct there are easy methods to crack hard drives these are methods involving physical access. If you have physical access to the hard drive there are many many easier methods to get into the encryption due to human exploitation, such as software situations within the target’s pc, video cameras, physical keyloggers, audio keyloggers.

So if you can get to the hard drive or not is irrelevant, there”s plenty of methods This isn’t like they magically figured out the encryption key, and also isn’t the ram situation “within 1-30 minutes” or something? I mean seriously it may take half of the minute just to get access to what you’re looking for.

I salute the method, but there are just too many for this to be truly noteworthy.

Overcast says:

I agree with you on that Paul. Plus with a trojan it would most likely be picked up by virus software anyways…

Only if the AV scanner you are running is familiar with it. If you wrote one for the task, there’s only a slim chance it might be detected by the heuristics – which, of course, could easily be tested on another PC, running the same AV software prior to ‘delivering’ the code.

delphidude says:

More scare headlines

This story is being ballyhooed far beyond what it is worth. Has anybody tried this outside of that lab? The answer is yes. Me. I have a pair of useless older PCs that are perfect for experimenting. And a box of cans of cool spray left over from my career job of fixing mainframes. These have real Freon and can freeze your katookies off if used upside down.

I loaded a huge text file with a repeating, easy to recognize pattern of data (i.e abcdefg…) into memory on one. Hosed it down with Freon. That didn’t work – it blew the memory, an experience that I have had in the past when trying to cool down components in troubleshooting. Apparently the small lands on a PC board will shrink from the cold and pull apart.

Started again with another simm. Not so cold this time.

Yanked it hot (as in with power on, not referring to temperature), plugged it into another old junker with a copy of Win 3.1 and powered up. Started scanning memory (that took a while, since my last experience with 3.1 must be about 15 years old.) but…

There was nothing. And since most memory was all zeros, I couldn’t be sure that the hardware/bios was not clearing memory on boot. Turned off everything in the bios, tried again, but still got nothing.

Tried not only pulling it hot, but swapping it hot. Problem was that the receiving machine would lock solid instantly. But finally one try got it in and the receiver stayed up. Time that the memory was without power was less than 3 seconds.

Great. Looked all over but no trace of that pattern could be found.

So. This isn’t quite as easy as the articles are making out. I am sure that the researchers did what they say, but nobody needs to panic that some DHS cop is going to whip out a spray can and a screwdriver and suddenly look through a persons surfing history. Heck, most government agents that I have run across have trouble opening the lid of the laptop.


Rick Sarvas (user link) says:

Re: More scare headlines

It has been many years since I’ve done any electronics work, but I think I see the problem here with delphidude’s experiment with the older laptops…

It seems to me that exploit makes use of the fact DRAM chips are powered by pulses and not a continuous supply of power as required by the Static RAM used in much older computers. In a way, it’s like keeping a bucket that has a small hole in the bottom filled with water. If you top off the bucket at regular intervals as dictated by the size of the hole in the bottom, the supply of water out of the bottom of the bucket should remain the same. If you fail to fill the bucket, the supply of water will eventually run out, but not immediately. With static RAM, the bucket is more like a pipe, so an interruption of water from one end would quickly be noticed at the other.

In short, it might be that the failure of the experiment to work (other than the RAM chips pulling away from the circuit traces when chilled) may simply be due to the fact the the memory used in the target laptops was of the wrong type for this specific type of attack to work (SRAM vs. DRAM).

If so, the results are still interesting.

Some background info…

Then again, I could be completely wrong too.

Kevin says:


Charlie, it’s not a matter of power stored in the RAM. A bit is set in the memory cell as either on or off. Left to it’s own with no power the state of the bits will drift or alter over time. Because of this, power is applied to the cells via a refresh strobe. This refresh current helps ensure that the bit state of the cell doesn’t change.

Felten’s exploit is based on discovering that the bit state doesn’t deteriorate very rapidly, and deterioration can be slowed even further by use of a refrigerant to chill/freeze the memory cells.

interval (profile) says:

Ok, SO - WHAT?

Ok, Felton has shown the possible. Lets look at the reality; the comprisor has to come in fairly soon after the user has powered down the machine. The code breaker then has to take the pc apart, freeze the ram modules and then analyze the latent charge in the modules, and how you do that I’m not sure. For some reason I still feel fairly well protected and will continue to encrypt my data. Thanks for the warning though.

Ben says:

if you get the computer while it's on...

can’t you just burn everything to a CD anyway? I don’t really see why this is significant. I guess it would allow you to have access to the computer any time you wanted, after turning it off or whatever, but if it requires having access to the computer after someone has already entered the password, couldn’t you just get all the data you needed in that session? I suppose if there’s some less barrier to access, like a screen saver password, but it just seems like this would be helpful in very few situations.

smarmy says:

Its a comprimise

1) There’s no way to program a laptop to not get stolen, so it comes right down to vigilance on the user’s part, which should be security step one. Probably any laptop that will be carrying sensitive data should have sleep mode disabled, and part of the power-down process should be a memory overwrite. But other than that, I’m not too sure how much more secure you can make things anyway, even without this vulnerability.

DRM Suxx says:

sleep mode

You are forgetting that they were able to do this when the PC was left in sleep or hibernate. I typically hibernate mine to make it faster by skipping the whole boot process. Most people I work with do the same, just setting it to open to the password prompt. The video claims the machine is vulnerable at this point.

xtrasico (profile) says:

Need sleep mode

I am an Auditor and Fraud Investigator. The Agency I work for gives me a laptop to do my work. Last year there was something wrong with it and the boot process use to be like 25 minutes one day and 1 minute the next. That happened everyday. I got used to leaving that laptop on sleep mode because when I needed it to boot fast to take a sworn statement or something important it was really frustrating to wait for it to boot up. All the work I do is confidential so we use encryption. This is going to change my preferences… just in case.

Sleep mode:
When referring to speed up the booting process of a PC I have always read everywhere on the net that hibernate is slower comparing it to the boot or sleep process. Hibernate just saves everything to hard drive so you can access it exactly as you had it when leaving the PC. In my PC the booting process is faster than waking it from hibernating, which sometimes hangs. Maybe something is wrong with my PC. I don’t know…

Steve says:

Hibernation is Probably Safe with most products

Hibernation and waiting a few minutes should thwart this attack as long as you use a product that encrypts the hibernation file. I know the product I use automatically does that.

I hate to shut down, and hibernating takes too long (even longer now that it’s being encrypted) so I just stand by. Looks like I’ll have to get used to shutting down.

dorion says:

Off Topic

I don’t know what the big deal is with data security anyway. All of our information is spread across the world anyway thanks to outsourcing IT to foreign countries. My identity was stolen when I was 19 from my local college. Someone snagged my personal info from my school records. Good thing I was too young to have any real credit. Too bad LE did not think it was important enough to pursue the crook.

I have worked with several law enforcement companies that have sophisticated ways of dismantling a drive and pulling data off. Whom are you trying to keep the data away from anyway? If they are good enough to crack this stuff then most likely they have a job paying them more then what this data is worth.

Tony (user link) says:

this is not something new

this type of attack is nothing new,

I’m a computer scientist and work for Novell who make SuSe Linux.

if you use something like these products the chances are that your password is only a very small one – as most people will not make the password overly long (aka >20 characters) and even sometimes it is something obvious!

so the vulnerability due to a brute force attack is still about 50-100x more likely to break your encryption than this method is 😐 due to physical acess needed shortly after a powerdown.

Mike says:

This article is misleading...

Hard drive encryption is alive and well and living embedded in hard drives from Seagate, Hitachi, etc.. and it is NOT circumventable via the description in this article.

So a grave disservice is done with the headline “Ed Felten Defeats Hard Drive Encryption”. He has done nothing of the kind. He has only circumvented one form of it. If he can defeat the encryption in the hard drive from Seagate I will then be MOST IMPRESSED.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...