Lenovo ThinkPad TPM Encryption Hacked

I thought some of you might want a heads up. I haven't activated my chip yet - but for those who have...

From today's New York Times...

"A group led by a Princeton University computer security researcher has developed a simple method to steal encrypted information stored on computer hard disks.

The technique, which could undermine security software protecting critical data on computers, is as easy as chilling a computer memory chip with a blast of frigid air from a can of dust remover. Encryption software is widely used by companies and government agencies, notably in portable computers that are especially susceptible to theft."

They show a ThinkPad in the article's picture and in the video below.

http://www.nytimes.com/2008/02/22/technology/22chip.html

<object width='425' height='355'><param name="movie" value="http://www.youtube.com/v/JDaicPIgn9U&rel=1"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/JDaicPIgn9U&rel=1" type="application/x-shockwave-flash" wmode="transparent" width='425' height='355'></embed></object>


Princeton Link: http://citp.princeton.edu/memory/

 

Wow, I never would have thought you could literally freeze the data in DRAM chips. Neat hack.

 

It's not just Lenovo. Why does it have to be Lenovo related? All business laptops have TPM (including Sony, Dell, HP and others), so this is a general problem.
What kind of encryption does it use?
From what I can see it's more of a physical problem, rather than software (though that can be fixed through software).

 

Since you have to have physical access to the computer to perform this hack, it's still of limited usefulness.

Encryption utilities could likely be adjusted to at least partially compensate for this hack by clearing any cached passwords when a machine goes into sleep/hibernate/screensaver mode; this would require that the user re-authenticate when waking the machine, but would mean that a notebook would have to be accessed in a relatively short window of time (assuming you configure sleep/hibernation/screensaver mode aggressively) for the hack to work. Also, such utilities would probably need to encrypt any swapfile/virtual memory on the machine (I know OS X already has this option).

 

The one way to solve this would be for hardware manufacturers to stick an extra capacitor on either their mobos or their RAM sticks to clear the RAM after a shutdown.

But even then, it might be vulnerable to unanticipated shutdowns.

 

This hack also applies to many software encryption methods. The one thing that stand out to me in the video and link is that people who put their laptops in hibernation and or sleep mode would seem to be much more at risk. If you turn your laptop off and ensure its secure for a couple minutes your risk goes way down. If however you put your laptop to sleep and a thief steals it they can take as much time as necessary to get all the proper equipment in place to freeze your ram and recover the encryption key.

If you don't use sleep or hibernate mode, this is not an easy exploit since it requires actual physical access to the device within a very limited time frame.

At this point it's more of a theoretical vulnerability than an actual one.

 

I owned a Vista Laptop for 2 weeks. Microsoft recommended not to shutdown but rather hit the "power button." Is this sleep or hibernate mode? Then by default many laptops will be left in this mode and susceptible to this hack.

 

Pushing the power button (not holding it down for 4 or 5 seconds) puts my laptop in sleep mode (I run Vista 64). I think this is configurable though, but by default i believe you are correct.

The reality is that most people are not going to be carrying the kind of information on their laptops that would make them targets of this attack so don't panic. If however you carry a laptop or use a desktop with extremely sensitive data stored on it, perhaps you should get in the habit of completely shutting down your computer and just hanging out with it for a minute or two.

I still believe the biggest security risk people have is using weak passwords, no passwords or writing their password on a post-it note that's stuck to their monitor.