A Cold Day in RAM

A new hardware exploit could allow RAM contents to be viewed even after powering down.

Transcript

This is Leo Notenboom for askleo.net.

Just about the time we congratulate ourselves for taking the next step in
security by carefully encrypting everything on our hard disk, out comes a
report that shows – and I do mean demonstrates – that many of the most popular
encryption tools can be defeated without a whole lot of work on the hackers
part.

Now, before we all run around and panic, let’s look at what this is really
all about.

Conventional wisdom is that the contents of your computer’s RAM is lost when
you power down your computer. There are two nuances to that statement that make
that conventional wisdom a little less conventional:

• First, standby mode does not actually power down RAM. Hibernate mode might
  or might not, but it also writes an image of RAM to your hard disk.

• Second, it turns out that your RAM actually keeps what’s stored in it for “a
  while” after it’s been powered down. And although “a while” could be a few seconds, it
  could be lengthened into several minutes by cooling down the RAM chips
  before they’re powered down with common cans of compressed air.

Now remember that in order for encryption software like TrueCrypt or Bitlocker
or others to work, they must keep the decryption key in RAM in order to use
it.

So, a hacker comes along, steals your laptop, and if it’s on or in standby
or in hibernation, he might just be able to reboot and run a tool that reads what’s
left in your RAM and locate those keys and then be able to decrypt your
information. It’s even been shown that by cooling the RAM chips they can be
removed and placed in another computer where software can then access the
contents.

Scary, huh? And yes, if you’re a secret agent or carrying corporate or
government secrets around in your laptop you might need to reconsider how you
treat your data.

But what about the rest of us?

Well, I’m not going to panic just yet.

The best advice so far is simply not to rely on Standby or Hibernation for
security and turn off your computer for a few minutes before you might leave it
in any situation where it might be lost or stolen.

Note that this does require physical access to your machine. As I’ve
mentioned before, if your machine isn’t physically secure it’s not secure –
though clearly encrypting the data is one approach to dealing with exactly
that. So, if you’re in a situation where you are at risk of theft, you’ll want
to keep this new possibility in mind.

I fully expect computer manufacturers and encryption software vendors to
come up with some preventative measures as soon as they can.

I’d love to hear what you think. Visit askleo.net and enter 12257 in the go
to article number box to access the show notes, the transcript and a link to
the Princeton University web site with all the details.

While you’re there, browse the hundreds of technical questions and answers on
the site.

Till next time, I’m Leo Notenboom, for askleo.net.