HomeData Breaches
October 19, 2009, 3:26PM

How to Defeat Full-Disk Encryption in One Minute

Full-disk encryption is often heralded as a panacea to the huge problems of data breaches and laptop thefts, and with good reason. Making the data on a laptop or other device unreadable makes the machine far less attractive or valuable to a thief. However, researchers are showing that this solution has its share of weaknesses, too.

Joanna Rutkowska, a well-known security researcher known mostly for her work on low-level rootkits and virtualization, has published a tool that enables an attacker to boot a protected laptop from a USB drive, record the encryption tool's passphrase and then decrypt its contents without trouble. Known as Evil Maid, Rutkowska said the attack is simple enough to be pulled off by a hotel housekeeper and is effective against TrueCrypt.

The attack works like this: A laptop user, even one who is paranoid enough to power down his encrypted machine, leaves it alone for a few minutes. An attacker inserts the USB drive containing Evil Maid into the laptop and boots the machine from the USB drive. The tool installs a sniffer on the laptop, which will then log the encryption passphrase the next time the user enters it. The passphrase can be stored on the disk and then recovered by the attacker later.

Recommended Reads

Get News by Email!

Rutkowska said the Evil Maid tool is a very simple implementation that could be improved upon.

The provided implementation is extremely simple. It first reads the first 63 sectors of the primary disk (/dev/sda) and checks (looking at the first sector) if the code there looks like a valid TrueCrypt loader. If it does, the rest of the code is unpacked (using gzip) and hooked. Evil Maid hooks the TC’s function that asks user for the passphrase, so that the hook records whatever passphrase is provided to this function. We also take care about adjusting some fields in the MBR, like the boot loader size and its checksum. After the hooking is done, the loader is packed again and written back to the disk.

Simple enough, and no mean feat to prevent.

Shorten URL: http://threatpost.com/en_us/l7D. Click to copy to clipboard or post to Twitter

Comments

Submitted by Dominic White (not verified) on Mon, 10/19/2009 - 4:32pm.
Seriously? The "maid" has physical access to you, your computer, and living space. She could also poison your toothpaste and smack you with a wrench until you gave her the password http://xkcd.com/538/ That's only two options of a very long list covered.
Submitted by TheGift73 (not verified) on Mon, 10/19/2009 - 4:36pm.

That's pretty worrying.

So I'm guessing it acts as a root kit whist sniffing? Is there no way to prevent the programe from sniffing in the first place? I'm not talking about that particular programe, but anything that is recording the keystrokes/ passphrase?

 

I always thought TC to be pretty secure, but I guess everything has it's Achilles heel. 

Submitted by Waveguide (not verified) on Mon, 10/19/2009 - 4:44pm.

The use of the TPM should prevent this, NO? I like the wrench approach, not very high tech but effective :)

Submitted by Anonymous (not verified) on Mon, 10/19/2009 - 5:31pm.

don't allow boot from USB...

Submitted by Anonymous (not verified) on Mon, 10/19/2009 - 5:56pm.

what about power on passwords (BIOS) and hardware encrypted harddrives (like thinkpad series?)

You can't boot without entering the system password - and this is pre-bios startup!

Submitted by Anonymous (not verified) on Mon, 10/19/2009 - 7:46pm.

Some people use keyfiles stored on thumb drives instead of passwords, can it record that as well?

Submitted by Dmitry Obukhov (not verified) on Tue, 10/20/2009 - 1:22am.
The solution is self-encrypting drive. SED drive allows user to access only shadow MBR partition with pre-boot authentication code. Shadow MBR is accessible in read-only mode. There is no way to install key logger or other tampering code on the drive without authentication.
Submitted by TheGift73 (not verified) on Tue, 10/20/2009 - 11:02am.

That's an expensive work around if you had to change all the drives on 100 plus machines. Then again it all depends on how much people need top security.

Still a shame that there isn't a piece of software that can guard against this. Maybe companies like TC may have to change how the encyyption itself is implemented to avoid this hole?

Submitted by Brian (not verified) on Tue, 10/20/2009 - 12:16pm.

Guess its time to

1) pull sensitive data off the harddrive.

2) make application space read only and

3) clean temporary storage on boot.

Submitted by Michael (not verified) on Tue, 10/20/2009 - 2:59pm.

Dominic, while wrench weilding maids are certainly a possibility, part of the issue here is that they can do it without you knowing it. I can imagine a lot of cases where the theif would not want the user to know that sensitive data had been stolen.

Submitted by Anonymous (not verified) on Tue, 10/20/2009 - 8:34pm.

BitLocker w/TPM and pin FTW!

Submitted by Anonymous (not verified) on Tue, 10/20/2009 - 10:54pm.

As others have mentioned, this attack would not work against the TPM+Hardware Encryption found in ThinkPads.

Submitted by Dennis Fisher on Wed, 10/21/2009 - 10:06am.

Rutkowska addresses the TPM/BitLocker defenses toward the end of the blog post: http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html

Submitted by Pragmatk (not verified) on Thu, 10/22/2009 - 6:55pm.

Oh no! Bullshit detector triggered!

This attack is worthless because:

a) It's much less effective than a generic keylogger (be that hardware or pre-boot)

b) The wrench method is always better, or, alternatively the - until-now, but hereby revealed - very secret "camera-in-hotel-room"-method.

c) It's easily guarded against by using simple measures like BIOS passwords for changing the boot order configuration + setting the harddisk with a higher priority. But let's say that the maid is so technically advanced that she knows how to (OMG! OMG!) take out a screw and pick out the laptop's HDD and connect it to her own, effectively removing the need for a bootdisk. How about STORING YOUR VOLUME HEADER AND BOOT LOADER on a usb, like Truecrypt for Windows actually forces you to set up when you install "system partition" encryption?

d) I think that the conclusion is that using anything but a hardware keylogger / a hidden camera / a microphone bug / a long-range laser vibration-based microphone pointed at a window / a wrench / serum of truth + wrench is kind of stupid.

 

That being said, it's a cool project. Cool, but massively overhyped.

Submitted by afripilgrim (not verified) on Tue, 01/05/2010 - 5:09pm.
"The tool installs a sniffer on the laptop, which will then log the encryption passphrase the next time the user enters it. The passphrase can be stored on the disk and then recovered by the attacker later." Sure. BIOS and Harddisk passwords prevent that. If the maid can take out the CMOS battery to reset BIOS settings, no password, there's still the hard disk password - copy the encrypted partitions to another hard disk, but then to get the user to type the password? As has been said, what about those who use USB keys instead of passwords?

Post new comment

The content of this field is kept private and will not be shown publicly.

Kaspersky Lab Channel and Alliance Partners

 

Copyright © 2010 threatpost.com | Terms of Service | Privacy