Should enterprises worry about cold boot attacks?
Cold boot attacks can expose any information stored in PC memory--including encryption keys. And With information security, never underestimate the bad guy's skills.
Late last month, researchers at Princeton made headlines when they published a paper exposing weaknesses in PC encryption technologies. It seems that DRAMs retain resident data for several minutes after PCs are shut down. This vulnerability can lead to "cold boot attacks" that can expose any information stored in PC memory--including encryption keys. Using several different types of attacks, researchers were able to exploit this vulnerability to Read more about this security research here. (PDF)including BitLocker (Microsoft Windows), FileVault (Apple Macintosh), and TrueCrypt (Open Source).
The Princeton report renewed a well-understood problem in the security community. Many encryption technologies are far more vulnerable than you think. That said, should chief information security officers be concerned? Yes and no.
When I first read this study, my initial reaction was that this was old news that was only relevant to the security research and academic communities. If my PC is stolen at Logan Airport or I leave it in a New York City cab, chances are pretty good that it gets fenced on the street for a few hundred bucks or traded for tubes of crack. In a situation like this, any Full-Disk Encryption (FDE) solution serves its purpose by providing anti-disclosure insurance. In other words, if my PC contains regulated data when it is stolen, FDE gives me a "get out of jail free" card on regulations like California SB 1386--I don't have to disclose this data breach to the public or suffer the associated embarrassment and cost.
Given this scenario, Joe Blow FDE software is sufficient most of the time, but security attacks are getting more targeted and sophisticated each day. Additionally, ESG Research data indicates that about one-third of large organizations (for example, 1,000 employees or more) suffered a data breach in the last 12 months and about half of these breaches were carried out by insiders. Given the right circumstances, a junior IT administrator could use a cold boot attack to steal valuable information from a C-level executive. Cold boot attacks also provide a new avenue for industrial espionage since many users leave laptops in hibernation mode when they travel.
Yes, there are ways to minimize the possibility of a cold boot attack against vulnerable encryption tools but security best practices state that if you are going to implement security technologies, you ought to choose those that provide the highest security possible. BitArmor, Intel (Danbury), and Seagate offer examples of encryption technologies immune to the Princeton attacks. My guess is that others will quickly follow.
With information security, never underestimate the bad guy's skills and desires. As Sun Tzu said in The Art of War, "If you know your enemy and know yourself, you need not fear the results of a hundred battles. If you know yourself but not your enemy, for every victory gained you will also suffer a defeat. If you know neither your enemy nor yourself, you will succumb in every battle."