A Cold Day in RAM

Home » Podcasts » 2008 Podcasts

A new hardware exploit could allow RAM contents to be viewed even after powering down.

Listen to the podcast: A Cold Day in RAM.

Transcript

This is Leo Notenboom for askleo.net.

Just about the time we congratulate ourselves for taking the next step in security by carefully encrypting everything on our hard disk, out comes a report that shows - and I do mean demonstrates - that many of the most popular encryption tools can be defeated without a whole lot of work on the hackers part.

Now, before we all run around and panic, let's look at what this is really all about.

Conventional wisdom is that the contents of your computer's RAM is lost when you power down your computer. There are two nuances to that statement that make that conventional wisdom a little less conventional:

• First, standby mode does not actually power down RAM. Hibernate mode might or might not, but it also writes an image of RAM to your hard disk.

• Second, it turns out that your RAM actually keeps what's stored in it for "a while" after it's been powered down. And although "a while" could be a few seconds, it could be lengthened into several minutes by cooling down the RAM chips before they're powered down with common cans of compressed air.

Now remember that in order for encryption software like TrueCrypt or Bitlocker or others to work, they must keep the decryption key in RAM in order to use it.

So, a hacker comes along, steals your laptop, and if it's on or in standby or in hibernation, he might just be able to reboot and run a tool that reads what's left in your RAM and locate those keys and then be able to decrypt your information. It's even been shown that by cooling the RAM chips they can be removed and placed in another computer where software can then access the contents.

Scary, huh? And yes, if you're a secret agent or carrying corporate or government secrets around in your laptop you might need to reconsider how you treat your data.

But what about the rest of us?

Well, I'm not going to panic just yet.

The best advice so far is simply not to rely on Standby or Hibernation for security and turn off your computer for a few minutes before you might leave it in any situation where it might be lost or stolen.

Note that this does require physical access to your machine. As I've mentioned before, if your machine isn't physically secure it's not secure - though clearly encrypting the data is one approach to dealing with exactly that. So, if you're in a situation where you are at risk of theft, you'll want to keep this new possibility in mind.

I fully expect computer manufacturers and encryption software vendors to come up with some preventative measures as soon as they can.

I'd love to hear what you think. Visit askleo.net and enter 12257 in the go to article number box to access the show notes, the transcript and a link to the Princeton University web site with all the details. While you're there, browse the hundreds of technical questions and answers on the site.

Till next time, I'm Leo Notenboom, for askleo.net.

Related:

• Princeton University - Lest We Remember: Cold Boot Attacks on Encryption Keys

Article 12257 | Posted March 1, 2008