Wednesday, February 27, 2008

Protecting a Macbook (Pro) against harddrive encryption loophole

In the last couple of days a lot of attention has been given to the paper "Lest We Remember: Cold Boot Attacks on Encryption Keys". The attack outlines how laptop disk encryption is vulnerable due to the properties of RAM and its retention of the encryption keys. Its a pretty sophisticated attack and one can assume that the kind of subject that will perpetrate this attack is pretty serious about getting to your data. (Think organised crime or overzealous immigration police).

The consensus seems to be that the best way to defeat this attack would be to "hibernate" your machine or shut it down completely when travelling about. Macs unfortunately have this concept of "Safe Sleep". Through this default process a hibernation file gets created but the machine is put into low/power or "sleep" mode first (fully vulnerable to this attack).

All is not lost however - as shown in this blog post on Macworld you can set the mac to hibernate by default.
This is of course a bit of a pain and your Macbook will not resume normal operation as fast as normal.

I have set my Macbook Pro to only hibernate using the following command from a Terminal window:

$sudo pmset -a hibernatemode 5

Please note that this applies to my machine as I use the "Secure Virtual Memory" setting in the Security Preference pane. Other readers might need to use the value 1. Please refer to the blog posting mentioned a little earlier.

One other method would of course be to keep the status quo hibernation settings.
1) Safe Sleep your Macbook as normal.
2) Wait for the machine to indicate that it has successfully entered Safe Sleep (the little white light on the lid button will slowly pulsate on and off)
3) Then remove the battery.

By removing the battery you will kill the "sleep" mode and the Mac will resume from its hibernate file. That should get rid of any encryption keys in memory with the added advantage that while you are in a "safe area" or not travelling you have super fast resumes from sleep.

1 comment:

Elamaton said...

There's an old blog post (Nov 2006) by Marko Karppinen here:

Turn Off Safe Sleep Now

Quote: "Everything in your Mac’s memory is stored on disk, in unencrypted form, whenever your Mac goes to sleep."

This is very bad for people using FileVault or other means of encryption, no?

The MacInTouch discussion he links to is interesting (and a bit worrying). Is this still valid in late 2008 with Leopard?