Aug 16, 2012

How To Protect Against a Cold Boot Attack (Theory)

English: FBI agents from the Washington Field ...
 (Photo credit: Wikipedia)
I just finished up editing next week's Tech Chop in which I talk about three tools designed to break into Truecrypt volumes. One of the tools, without giving too much away, is called Passware Kit Forensic and retails for about $995. This tool is a professional computer forensics tool much like something the FBI would use if they seized your encrypted computer and they needed to break into it to obtain evidence. It works by basically using a cold boot attack.

If you didn't know, a cold boot attack is when an attacker is able to get your hard drive's encryption keys out of memory. The term cold boot attack was coined when researchers found that you can keep session information in memory after a reboot longer if you freeze the RAM modules. Other than the freezing part, the FBI has been using this technique for years.

Currently, the only way to prevent this sort of attack is good physical security. Therefore many hackers laugh at this technique because one can do anything if they have physical access. For the most part if you encrypt your drives you will be safe from the average hacker. However, you will not be safe from the government with a warrant. Why? Because you have just lost your ability to keep them away from your computer. The government is who you have to worry about with this attack, not necessarily "evil" hackers.

You are probably saying to yourself, "If the FBI has a warrant to search your computers, don't you have to cooperate and give them your encryption keys or passwords?" The answer is no, not really. According to an article on Geekosystem:
Traditionally, the Fifth Amendment doesn’t cover physical acts. For instance, if you’re asked unlock a safe or open a door, the Fifth Amendment doesn’t have your back. At least if the there is a key involved, relaying a combination, on the other hand, is technically testimony. This ruling equates decrypting a computer with telling something a the combination to a safe.
The EFF, a government watch dog and civil rights group which protect individuals civil rights when it comes to technology wrote a very good article here about how and when encryption is protected under the 5th amendment. In short, if a defendant has to give up anything in their mind as evidence, such as a password, then it is protected under the 5th amendment.

So back on track, you have something on your encrypted computer and you don't want your government getting it. The only way to stop them if they have a warrant is to buy yourself time, time to get your encryption keys out of memory.

So what is one to do? Well after doing some research for my show I came across a video on Youtube demonstrating the cold boot attack, and I started reading the comments. One guy's comment caught my eye when he mentioned using a BIOS password along with full hard drive encryption. That got my mind turning a bit.

If you set a BIOS password, sure it's not that secure in itself, but it can buy you some time. The BIOS password can easily be cleared by a jumper setting on the motherboard, but if the attacker doesn't know it's there, they will power cycle the computer as usual, and will then be greeted by the BIOS password. They will then have to power off the computer, open up the case, set the jumper to clear the BIOS password, power it back on until BIOS is reset, power it back off, reset the jumper, then power it on again. How many minutes will that buy? Probably enough to clear out the keys I'm guessing.

Now, I'm not an expert on how long it takes memory to clear, nor am I an expert on cold boot attacks. If someone knows better than me if this will work or not I'd love to hear about it in the comments. Also, if you have a better solution for protecting against the cold boot attack, please let us know in the comments as well.



Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam