In-Depth

Laptop Security: Hackers Attack Encrypted Data on Chips

Sleeping laptops may be the next way hackers steal encrypted information

• By Stephen Swoyer
• 03/04/2008

Just how safe are your sleeping laptops? Last month, researchers described a new method to steal encrypted information on dynamic RAM chips. The risk, researchers say, is low -- but that doesn't mean IT organizations shouldn't take precautionary measures.

A Princeton-based group of security researchers recently released a technical paper last month in which they described a technique for harvesting encrypted information from dynamic RAM (DRAM) chips that store temporary data -- such as the keys for data-scrambling algorithms -- when read from hard disk. Even though this data is supposed to disappear instantly once a system is shut down (or when electrical power is disrupted), that doesn't always happen, researchers said. In fact, the Princeton group was able to read encrypted information from chips that had been chilled using compressed air or liquid nitrogen.

Call it "Van Eck Phreaking" -- i.e., TEMPEST: the process of reading information off of a CRT display by capturing electromagnetic emissions -- for the DRAM set.

Whatever you choose to call it, it's a potentially troubling development for security professionals. Industry watcher Gartner Inc., for example, says that companies need to take steps to safeguard their systems -- however remote the chance of exploitation.

"The Princeton research is somewhat troubling for security professionals, because it suggests that DRAM memory patterns may persist longer than was previously thought possible," write Gartner analysts John Girard, Ray Wagner, and Eric Ouellet. "However, the circumstances under which this vulnerability can be exploited are sharply limited by time constraints and the need for physical access to the DRAM chip."

Girard, Wagner, and Ouellet say that organizations that rely extensively (or exclusively) on built-in OS encryption tools are most at risk. "The greatest enterprise security exposure lies with default OS encryption tools and simpler applications from independent software sources," they say. "Professional third-party-vendor tools tend to have defenses in place that reduce the ability to locate keys in memory."

According to the Gartner trio, pay-for-use tools typically boast a number of cold-chill-resistant features, including:

• The ability to write keys to dynamic memory locations
• The ability to break keys into fragments and hide the fragments
• The use of multiple keys for different data sets that are removed from memory when not in use
• Forced wipe of DRAM at power down
• Take keys placed in memory for delay and misdirection
• Code that is modified to interfere with reverse engineering

Operating system vendors, on the other hand, seem relatively nonplussed by the disclosure.

"The concept that memory retains a 'ghost image' of what was last stored on it has been well documented and is an industry-wide issue," writes Microsoft security researcher Russ Humphries on the Windows Vista Security blog. "However, the current debate has an interesting angle to it -- specifically a method has been detailed in which an application might be able to reconstruct an encryption key, which might have been used for almost any security purpose, from these ghost images."

To exploit the scenario described by the Princeton team, he says, an attacker would first have to have physical access to a machine that was in sleep mode (instead of powered-off or in hibernate mode); the user (or the user's IT organization) must not have implemented multi-factor pre-boot authentication; and the person who finds or steals the laptop system must be knowledgeable enough to execute an attack of this kind.

"I would posit that the opportunistic laptop thief is somewhat unlikely to carry a separate laptop on which they will have installed tools that allow them to reconstruct cryptographic keys -- or, for that matter, have a can of compressed air handy," he comments, adding that "Targeted theft is, of course, an entirely different threat model!"

The Gartner analysts recommend some common-sense approaches. "[Customers should] consider disabling standby/sleep mode on high-risk systems, allowing only hibernation or shutdown and setting inactive systems to power down or hibernate instead of going to screen lock," they conclude. For high-risk systems in particular, customers might want to evaluate third-party data encryption tools with more sophisticated defenses.