Laptop Encryption Not Secure or Safe? Must Be A Slow News Day. My Take On The Princeton Research.

I initially read the news on The New York Times, and the story has spread since.  Must be a really slow news day, because I don’t think I’ve ever seen so many different news sites—traditional media or otherwise—cover a computer security issue on such a scale before.  Of course, it could mean that we’ve had a surge in media outlets that cover this kind of stuff.  Or, it may indicate that the issue is of extreme importance; I don’t agree that it is, although I’m sure the tinfoil brigade will beg to differ.


What am I ranting about?  Well, the Gray Lady and others report that researchers at Princeton are able to hack into laptops protected with advanced encryption.  However, most of the media has approached the story in such a convoluted manner (not the NYT, by the way) that they’re making it sound as if encryption is about as safe as having a poodle in charge of El Dorado’s gold.  Plus, there’s the canned air, which we’ll come to later.


Before I go on, let me state in unequivocal terms that the security flaw described here is irrelevant to 99.99% of the people out there, in my opinion.  I still advocate whole disk or other encryption software, like those offered by AlertBoot, for protecting sensitive data because the vulnerability’s impact for most people is about as relevant as an announcement that tachyon particles are real: exciting in certain circles, but immaterial to most. (If you’re wondering, some think that tachyon particles will allow time travel.  As of yet, they’re theoretical; but even if they were real, they’d exist for less than a second.  It’s one of those particles.)


What did the Princeton guys find that’s causing all this hubbub?  Essentially, they can bypass advanced encryption using their custom software if they can access the contents of the RAM chip on time, even if the computer’s turned off.  The software will be distributed to security researchers (and eventually the bad guys will have a copy as well, I presume).  The technique, an attack focusing on the encryption key, can also be used on a computer that’s not turned off.


A key is necessary to encrypt and decrypt data, i.e., to scramble, and later make sense of, the data.  This key is loaded to RAM when in use and can’t be encrypted (if it were encrypted, then a key to the key would be needed, which in turn is not encrypted, so that would have to be encrypted, which means another key is need, and so on—the point is, you’ll eventually have an unencrypted key somewhere, so encrypting the key is pointless).


The researchers have created software to fish this key from the computer’s RAM, which is not unlike finding someone’s password written somewhere.  If you know the password, the most advanced encryption in the world won’t protect scrambled data, and this is true as well if the key is compromised.  So far, this is all logical and old news, with the exception of the software that the researchers developed for finding encryption keys in the RAM.


What’s attracting a lot of attention in the media, it seems to me, is that the hack can be successfully carried out on computers that have been turned off as well—if the attack is carried out within one minute or so after it turns off.  This is because the information on RAM does not instantly wipe out.  Instead, it decays as the electric charges in the RAM decays.  This is not news, either.  A RAM chip is basically many tiny capacitors on a chip, each capacitor being a temporary container for electricity.  The electricity in turn switches things on and off, each “on” or “off” position representing data.  Cut the juice and the RAM returns to its original, unpowered state, i.e., no data.


If you’ve ever played with capacitors, you know it can shock you—in fact, it could kill you—after a device has been turned off unless you give the capacitor time for its electric charge to power down.  It’s only natural, then, that electricity in RAM will gradually disappear after the computer is turned off.  This process will sometimes take a couple of minutes, according to the researchers’ testing, but usually takes seconds.  The data will also gradually disappear—this is what people mean by “decay.”  Most people are unaware of this short?lived decay, and assume that once you cut the electric supply, that’s the end of the story for the data in the RAM.


The Princeton researchers have taken advantage of this momentary state where the RAM still retains the data.  Their key?finding software includes a way to compensate for the information decay in the RAM.  But as the researchers themselves point out, you’ve got to start using their software generally within minutes of cutting power, before there is too much decay.


This is where the canned air comes into play.  Past research has shown that decay can be slowed if the RAM is in a freezing environment.  The researchers inverted a container of canned air and sprayed the contents on the RAM, pretty much freezing the RAM chip and prolonging the retention of data.  If you’re not aware, the stuff coming out of an upside?down can of air is way below freezing (there’s specific warnings not to do this on the can itself)—and this is like mana for journalists covering the world of computer security.  I mean, read the headlines: “Canned Air Renders Computer Encryption Useless!”  It makes great copy.  It’s definitely less fun if you say that the researchers needed to cool the RAM down to -60 ?C.


What does this mean for people like you and me?  For one, run if you see someone approaching you with an inverted can of air—he might give you frostbite.  Computer security?wise, it means that you’re not protected if your encrypted computer gets stolen while you’re working on it or within minutes of shutting it down.  The former is just obvious and common sense, and was always the case—after all, an open safe is vulnerable to theft.  The latter is a vulnerability if the FBI decides to bust you in a surprise raid and you pull the plug on your computer.  Of course, your immediate concerns should be other stuff, such as not getting shot.  Or tasered, bro.


For the rest of the world, who need to protect their data if their computers are lost or stolen, due to break?ins, muggings, or otherwise, encryption is still a necessity and a practical, effective way of preventing data breaches.  I expected a thief will run as far away as possible after stealing a laptop, not stop mid?flight to pop open a laptop’s memory compartment and freeze it within the required minute or so; it just sounds ridiculous.  I think Microsoft, of all companies, put it best:  The claims detailed in the Princeton paper are not vulnerabilities, per se, but simply detail the fact that contents that remain in a computer’s memory can be accessed by a determined third party if the system is running.” [from CNet]


And while the Princeton case is novel, I don’t think it is so unusual that it merits all this attention outside the usual circle.  Like I said.  Must be a slow news day.

Comments (0)

Let us know what you think