Researchers: Computers' "secure" memory systems utterly insecure

As if we did not have enough worries about cyber security: Remember all these cases in which laptops (for example, the U.S. Veterans Adsministration) were lost — together with the personal information of millions of people? It was argued that if the information on the laptops’ hard drive were encrypted, the information on the disk could not be accessed by those who found the laptops. Think again. A team of academic, industry, and independent researchers has demonstrated a new class of computer attacks which compromise the contents of “secure” memory systems, particularly in laptops. The attacks overcome a broad set of security measures called “disk encryption,” which are meant to secure information stored in a computer’s permanent memory. The researchers cracked several widely used technologies, including Microsoft’s BitLocker, Apple’s FileVault, and Linux’s dm-crypt, and described the attacks in a paper and video avaliable at the Web site of Princeton University’s Center for Information Technology Policy.

The team reports that these attacks are likely to be effective at cracking many other disk encryption systems because these technologies have architectural features in common. “We’ve broken disk encryption products in exactly the case when they seem to be most important these days: laptops that contain sensitive corporate data or personal information about business customers,” said Alex Halderman, a Ph.D. candidate in Princeton’s computer science department. “Unlike many security problems, this isn’t a minor flaw; it is a fundamental limitation in the way these systems were designed.” The attack is particularly effective against computers which are turned on but are locked, such as laptops that are in a “sleep” or hibernation mode. One effective countermeasure is to turn a computer off entirely, though in some cases even this does not provide protection. Halderman’s Princeton collaborators included graduate students Nadia Heninger, William Clarkson, Joseph Calandrino, Ariel Feldman, and Professor Edward Felten, the director of the Center for Information Technology Policy. The team also included Seth Schoen of the Electronic Frontier Foundation, William Paul of Wind River Systems, and independent computer security researcher Jacob Appelbaum.

Felten said the findings demonstrate the risks associated with recent high-profile laptop thefts, including a Veterans Administration computer containing information on twenty-six million veterans and a University of California, Berkeley laptop which contained information on more than 98,000 graduate students and others. It is widely believed that disk encryption would protect sensitive information in instances like these, but the