Frozen RAM and Bitlocker (can it be defeated?)

This came as no surprise to me, yet when you see something theoretical being applied
it always manages to give you a jolt…especially if you consider the timing.

During the last week I was (and still am) planning a series of posts about Bitlocker.
In (very) short,Bitlocker is a Windows Vista technology that encrypts your hard drive
as a unit. To access the data you need to provide some type of a key that releases the
key used to decrypt (and encrypt) your data into RAM.

The main advantage of Bitlocker is it’s ability to protect your data even if someone manages
to gain physical access to your system(by stealing it) and boots the system form a parallel
OS.

 

In the past I have read a research paper(still looking for it), stating that in contrary to popular
belief when you cut power to a RAM module the data it has stored is not lost. In addition to that,
the data inside RAM can be preserved by cooling the RAM modules.
image

Considering that your encryption/decryption keys are saved in RAM if someone gains access to
your system while it is still turned on(or shortly after you have cut power to it) they may be able
to access your encryption/decryption keys and additional sensitive information such as documents
you worked had open.

This concept has been demonstrated (to some extent in a video and a research paper) by a group of
people mainly from Princeton at their website:
http://citp.princeton.edu/memory/

 

In my opinion, it is extremely important to point out that Bitlocker protects your data only
if the computer is turned off or is hibernated (if your system is on, the data is not protected).

I am humbled to correct people from Princeton but it is something that I must do in this case, during the
video, the narrator mentions that in some cases Bitlocker can be attacked even if a system is turned off and
the way to discern between such cases is if a system asks for a key/pin(you are protected) or a password(you are
not protected).
The first part is very inaccurate and may cause unnecessary confusion.
There is only one way for a system to be off-there is no power running to it. Either it is shut down
or it is hibernated all the other methods do not shut a system down.

Anyway- it is still a cool concept to demonstrate…

2 thoughts on “Frozen RAM and Bitlocker (can it be defeated?)

  1. There are ways of securing a system from this sort of “attack.”
    First, use a bios password. This insures that someone can’t boot and read the frozen RAM in the machine.
    Second, it has been shown that frozen memory modules can be removed and read in another computer. Gluing the memory modules in place would make this sort of thing nearly impossible.
    Sounds extreme but there are times when security is more valueable than the hardware.

  2. If someone really wanted the data from an encrypted laptop; they would go to the weakest link and that would be you; the user.

    give up your passwords or lose a finger, a hand, a leg, an eye, your life?

    harsh but true.

Leave a Reply

Your email address will not be published. Required fields are marked *