Cold boot encryption-bypassing source code published
Source code is now available to utilities that can bypass programs like Microsoft's BitLocker and Apple's FileVault in some circumstances.
A team of computer scientists has published source code that can in some circumstances bypass encryption used in Microsoft's BitLocker and Apple's FileVault and be used to view the contents of supposedly secure files.
We reported in February on their research, which describes how the contents of a computer's memory could be dumped to a hard drive and the encryption keys forcibly extracted.
The source code includes tools for imaging the target computer's memory through USB and Netboot, and analyzing the memory image to extract AES and RSA encryption keys, even if they're partially degraded. It was published to coincide with the Last HOPE hacker conference over the weekend in New York, where research team member Jacob Appelbaum gave a presentation.
This collection of utilities will be of special interest to security researchers and computer forensics specialists in law enforcement or working for police. (A Justice Department conference that starts Monday, for instance, includes two panels on computer forensics.) It allows police to seize a computer with an encrypted volume mounted that may be asleep or locked with a screensaver, plug in a UPS, and eventually extract its memory and encryption keys.
If you're worried about this threat or the possibility of nosy border guards rummaging through your files, unmount your encrypted volumes when you're not using them or, better yet, completely power down your computer.
As more people use encryption--FileVault is built into all recent versions of OS X--finding ways to respond to it will become more of a challenge for law enforcement. In December, a federal judge ruled a man charged with transporting illegal images could not be forced to turn over his PGP pass phrase.