SAN JOSE, Calif.--Disk encryption, which people rely on for protecting sensitive data on laptops, can fairly easily be foiled, security researchers said in presenting a paper on a so-called "cold-boot attack" at the Usenix security conference on Wednesday.
In a new type of attack that requires physical access to a target computer, an attacker can cut power to a machine that is in sleep mode, restore the power, and boot a malicious operating system from a USB drive or an iPod that can copy the RAM contents.
But won't the contents of the RAM be lost when the power is turned off? Actually, no, according to the team of mostly Princeton University researchers led by J. Alex Halderman, a doctoral candidate.
The group found that contrary to common knowledge, RAM data fades gradually over a period spanning from a few seconds to a few minutes after the power is cut. This could give an attacker time to read the RAM data, including encryption keys, after rebooting into a different operating system or removing the memory chips and placing them into a different computer.
An attacker can extend the data decay time period by cooling the chip off while the machine is running with a spray of "canned air" commonly used for cleaning keyboards of dust. With liquid nitrogen, an attacker could take days to retrieve the data if needed.
Popular disk encryption schemes like Microsoft's Bitlocker in Vista don't protect against this type of attack, and actually make the laptops more susceptible, the researchers said.
"Overall, the significance is that disk encryption is not the silver bullet that we might have thought in its present state," Halderman, said in an interview after the presentation. "Individuals and businesses that rely on disk encryption need to pay much closer attention to the physical security of their devices."
In addition to Halderman, the research team included Princeton professor Ed Felten, as well as Nadia Heninger, William Clarkson, Joseph Calandrino, and Ariel Feldman of Princeton; Jacob Appelbaum; Seth Schoen of the Electronic Frontier Foundation; and William Paul of Wind River Systems.
This video created by the research team explains how the attack is done: