I just came across this article about cracking full-disk encryption (http://reviews.cnet.com/8301-13727_7-57369983-263/filevault-2-easily-decrypted-warns-passware) with the headline “FileVault 2 easily decrypted, warns Passware”. It looks like the article is pretty much a re-hash of a press release, but it got me wondering how serious this actually is, and whether there are steps you can take to mitigate the risks, if you need the seurity of full-disk encryption.
The actual threat
The vulnerability comes from ports with direct memory access. From what I understand, that’s mostly high-performance ports like Firewire, PC-Card (and Express Card), e-Sata and Thunderbolt. The article mentions Firewire in particular, but that’s probably because they’re focusing on Mac and lots of Macs have Firewire. The problem certainly is certainly not just a Mac only issue, and affects any computer with those ports.
The reason these ports can be used is all down to the way they achieve their high-performance — they give devices direct access to memory. That’s definitely a double edged sword. While it allows data to move between devices at blazingly fast speeds, it also enables malicious access to anything that’s in your computer’s memory. If you’re using full disk encryption, that includes your decryption key. That key has to be in memory, because without it you can’t get your data. I’m surprised that there isn’t a way to ring-fence this super-sensitive data, but the world of technology is all about trade-offs, and up to now that clearly isn’t a trade-off anyone has felt was worth the effort.
Is there anything you can do to stay secure? Yes. This issue only affects your computer while it is up and running (and after you’ve entered your password). Therefore, if your computer is powered off, your data should be safe. It doesn’t sound so bad now — you can just turn your computer off when you’re not using it — but it still leaves one huge gaping hole; Most of us don’t turn our computers off, we put them to sleep. When we put computers to sleep, eveything that’s in memory is kept in memory, so the vulnerability is still there as soon as you open the lid or hit a key. If you need to be as safe as you can be, shut down your computer when you aren’t using it, and never leave it unattended when it’s locked/sleeping.
I hope this post gives you a little extra insight in to how full-disk encryption might not be totally secure. I do feel that this vulnerability is an edge case — using such specialised software on a running laptop means that somebody is serious about getting your data — if somebody found a laptop on a train, say, and tried accessing your files using regular methods, full disk encryption should save you from embarassment and getting your name in the newspapers — but if you are worried that you might be specifically targetted, this problem could be very real and you should definitely give it some thought.