Helping people with computers... one answer at a time.

A new hardware exploit could allow RAM contents to be viewed even after powering down.

Listen:
Download the mp3

Transcript

This is Leo Notenboom for askleo.net.

Just about the time we congratulate ourselves for taking the next step in security by carefully encrypting everything on our hard disk, out comes a report that shows - and I do mean demonstrates - that many of the most popular encryption tools can be defeated without a whole lot of work on the hackers part.

Now, before we all run around and panic, let's look at what this is really all about.

Conventional wisdom is that the contents of your computer's RAM is lost when you power down your computer. There are two nuances to that statement that make that conventional wisdom a little less conventional:

  • First, standby mode does not actually power down RAM. Hibernate mode might or might not, but it also writes an image of RAM to your hard disk.

  • Second, it turns out that your RAM actually keeps what's stored in it for "a while" after it's been powered down. And although "a while" could be a few seconds, it could be lengthened into several minutes by cooling down the RAM chips before they're powered down with common cans of compressed air.

Now remember that in order for encryption software like TrueCrypt or Bitlocker or others to work, they must keep the decryption key in RAM in order to use it.

So, a hacker comes along, steals your laptop, and if it's on or in standby or in hibernation, he might just be able to reboot and run a tool that reads what's left in your RAM and locate those keys and then be able to decrypt your information. It's even been shown that by cooling the RAM chips they can be removed and placed in another computer where software can then access the contents.

Scary, huh? And yes, if you're a secret agent or carrying corporate or government secrets around in your laptop you might need to reconsider how you treat your data.

But what about the rest of us?

Well, I'm not going to panic just yet.

The best advice so far is simply not to rely on Standby or Hibernation for security and turn off your computer for a few minutes before you might leave it in any situation where it might be lost or stolen.

Note that this does require physical access to your machine. As I've mentioned before, if your machine isn't physically secure it's not secure - though clearly encrypting the data is one approach to dealing with exactly that. So, if you're in a situation where you are at risk of theft, you'll want to keep this new possibility in mind.

I fully expect computer manufacturers and encryption software vendors to come up with some preventative measures as soon as they can.

I'd love to hear what you think. Visit askleo.net and enter 12257 in the go to article number box to access the show notes, the transcript and a link to the Princeton University web site with all the details. While you're there, browse the hundreds of technical questions and answers on the site.

Till next time, I'm Leo Notenboom, for askleo.net.

Article C3306 - March 1, 2008 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

2 Comments
Hugh E Torrance
March 8, 2008 2:52 AM

Compressed air is not able to supply enough cooling,it would have to be refrigerant...R22 Etc.

Leo A. Notenboom
March 9, 2008 9:20 PM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Have a look at the princeton video. It's not the compressed
air itself, it's the propellant, which sprays out when the
can is turned upside down, and cools dramatically (-50F is
what I recall).

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFH1LbyCMEe9B/8oqERAluvAJ0esqYyafGNdBIqFbqA/CX1tVLatgCeK9EJ
Z4Zir/ewBdKWWBSZdxOpW4Q=
=eeyC
-----END PGP SIGNATURE-----

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.