A Microsoft product manager last week downplayed the threat posed by research that shows how attackers can inspect a "ghost" of computer memory. He said that users can keep thieves from stealing encrypted data by changing some settings in Windows.
Russ Humphries, a senior product manager for Windows Vista security, was reacting to last week's reports about a low-tech technique that could be used to lift the encryption key used by Vista's BitLocker or Mac OS X's FileVault. Once an attacker has the key, of course, he could easily access the data locked away on an encrypted drive.
The method - dubbed "Cold Boot" because criminals can boost their chances by cooling down the computer's memory with compressed gas or even liquid nitrogen - relies on the fact that data doesn't disappear instantly when a system is turned off or enters "sleep" mode. Instead, the bits stored in memory chips decay slowly, relatively speaking.
Cooling down memory to -58 degrees Fahrenheit (-50 degrees Celsius) would give attackers as long as 10 minutes to examine the contents of memory, said the researchers from Princeton University, the Electronic Frontier Foundation and Wind River Systems. And when they pushed the envelope and submersed the memory in liquid nitrogen to bring the temperature down to -310 degrees Fahrenheit (-190 degrees Celsius), researchers saw just 0.17 percent data decay after an hour.
- Latest Microsoft news - click here
- Latest Windows XP news - click here
- Latest Windows Vista news - click here
The whole thing is unlikely, Humphries argued in a post to the Vista security team's blog. To make his case, he ticked off several preconditions:
- The attacker would have to have physical access to the machine.
- The laptop would likely have to be in "sleep" mode, rather than in "hibernate" mode or powered off.
- The person who finds/steals the laptop must be knowledgeable and interested enough to execute the attack.
"I would posit that the opportunistic laptop thief is somewhat unlikely to carry a separate laptop on which they will have installed tools that allow them to reconstruct cryptographic keys, or for that matter have a can of compressed air handy," said Humphries.
Not everyone was buying that argument, however.
"We just had two laptops stolen. Both were powered on and would be prime candidates for 'memory' based attacks," claimed a user identified as Doug who posted a comment to Humphries' blog.
"So this is not as improbable as you make it sound."
But even as Humphries downplayed the chance of an attack, he also spelled out ways users of BitLocker - the full-disk encryption feature included in Vista Ultimate and Vista Enterprise - could protect their laptops from a Cold Boot.
"The thing to keep in mind here is the old adage of balancing security, usability and risk," said Humphries.
"BitLocker provides several options that allow for a user, or more likely an administrator, to increase their security protections but at the cost of somewhat lowering ease of use."
Specifically, he said users or IT administrators could set BitLocker so that it would not let a PC boot, or even resume from hibernation, without confirmation from a PIN and/or a secret key stored on a USB-based flash drive or memory stick.
Others at Microsoft pitched in last week to counter the widespread reporting of the Cold Boot research. Douglas MacIver, a member of the company's BitLocker test team, added a list of steps corporate users can take.
"The [Princeton] research and presentation are impressive," he said in a blog posting of his own. "But after reading it, you may come away wondering 'What can I do immediately to protect myself?' Our customers have been asking us this same question."
Among MacIver's recommendations: Set laptops so that they enter power-off "hibernation" rather than the low-power "sleep" mode, which can't be protected by a BitLocker PIN or key; limit boot options by modifying the PC's BIOS; and disable FireWire and PCI Host controllers.
The Cold Boot research paper is available in PDF format at Princeton University's website.