We haven’t made a regular habit of watching BoingBoing TV, but lately they’ve been covering topics we’ve been interested in… not the dolphin pr0n. In yesterday’s episode they talked to Jacob Appelbaum and members of the EFF about the cold boot encryption attack. The attack involves dumping the contents of memory to a storage device by power cycling the system. Cooling the memory chip with compressed air helps preserve the integrity of the data. The attacker can then search the data to find encryption keys protecting the contents of the hard drive. A fool proof solution to mitigate this attack hasn’t been developed yet. You can read more about cold boot attacks at the Center for Information Technology Policy. The BoingBoing TV episode, bizarre editing and all, can be downloaded directly here.
encryption94 Articles
Breaking Disk Encryption With RAM Dumps
If you haven’t gotten a chance yet, do watch the video of this attack. It’s does a good job explaining the problem. Full drive encryption stores the key in RAM while the computer is powered on. The RAM’s stored data doesn’t immediately disappear when powered off, but fades over time. To recover the keys, they powered off the computer and booted from a USB disk that created an image of the RAM. You can read more about the attack here.
How can you reduce this threat? You can turn off USB booting and then put a password on the BIOS to prevent the specific activity shown in the video. Also, you can encrypt your rarely used data in a folder on the disk. They could still decrypt the disk, but they won’t get everything. I don’t think this problem will truly be fixed unless there is a fundamental change in hardware design to erase the RAM and even then it would probably only help computers that are powered off, not suspended.
The potential for this attack has always been talked about and I’m glad to see someone pull it off. I’m hoping to see future research into dumping RAM data using a USB/ExpressCard with DMA access.
Wireless Keyboards Easily Cracked
We first covered breaking the commodity 27MHz radios used in wireless keyboards, mice, and presenters when [Luis Miras] gave a talk at Black Hat. Since then, the people at Dreamlab have managed to crack the encryption on Microsoft’s Wireless Optical Desktop 1000 and 2000 products (and possibly more). Analyzing the protocol they found out that meta keys like shift and ALT are transmitted in cleartext. The “encryption” used on each regular keystroke involves XORing the key against a random one byte value determined during the initial sync with the receiver. So, if you sniff the handshake, you can decrypt the keystrokes. You really don’t have to though; there are only 256 possible encryption keys. Using a dictionary file you can check all possible keys and determine the correct one after only receiving 20-50 keystrokes. Their demo video shows them sniffing keystrokes from three different keyboards at the same time. Someone could potentially build a wireless keylogger that picks up every keystrokes from every keyboard in an office. You can read more about the attack in the whitepaper(pdf).
[via Midnight Research Labs]
