Protecting the BitLocker bits in Vista

So last night my MVP lead (Sasha) was in town and a bunch of MVPs got together to break bread and converse on all things geek. During the dinner there was discussion about the effectiveness of BitLocker, and the risks against the Cold Boot attack that Princeton published in a paper back in February. There is even an excellent video that shows this attack in action for those that don't know about it.

In short, due to a characteristic of memory called “DRAM remanence”, it is possible to attack disk encryption technology like BitLocker and blow past the very safeguards it provides. Cryptographic systems are only as secure as the protection of the keys, and the research at Princeton shows how easy systems like BitLocker, FileVault and TrueCrypt can be beaten.

Now to many, including most of the MVPs around the table last night, that's a theoretical attack which isn't practical. I beg to differ. And I will tell you why.

A few weeks ago at the HOPE (Hackers On Planet Earth) conference in New York, the source code for the tools for this attack were released. And I have personal knowledge of at least one laptop which has since been compromised using this attack in the field.

Although not a very practical attack, this is indeed real. So closing your Vista Enterprise or Ultimate laptop and letting go to sleep under the belief that you are protected is a fallacy. So I thought I would explain a few things you CAN do to reduce this risk and protect your encrypted systems.

First off, you need to understand the balance and trade offs between security and usability and how to assess risk to your information assets protected with technical safeguards like BitLocker. A great starting point is to check out Russ Humphries' MSDN blog post on the subject. He includes pointers to the best practice guidance in the Data Encryption Toolkit, which is where Microsoft explains these things.

Secondly, you have to understand the basic premise of this attack. It relies on how DRAM remanence works. You can configure BitLocker in Advanced Mode to use hibernation rather than sleep, and you should really do that. When using sleep mode, Vista will not encrypt the RAM contents, exposing the encryption keys BitLocker uses to the Princeton attack. This means that any laptop sleeping in its bag at the airport is fair game.

If you use hibernation, the system is effectively turned off, and with no power to the RAM there is no chance of information disclosure risk with key residual data even existing on the chips. Even if someone seized the machine, they wouldn't be able to recover the keys as during resume from hiberation, the BitLocker credentials will need to be provided BEFORE the keys will be loaded into memory.

You can also make it more difficult for unauthorized users to exploit this attack vector by limiting their ability to perform warm reboots in an effort to keep the keys in memory. Using Group Policy there is a setting under the Windows Security Policy called “Shutdown: Allow system to be shut down without have to log on”. If you disable that, they are going to have to do a hard power cycle which will again go through the system post and require the BitLocker credential before keys will be loaded into memory. To be clear, this won't prevent the attack... it just makes it more difficult. And there is nothing wrong with another layer of defense that costs you nothing to deploy. :-)

So I hope that helps. use a PIN credential for BitLocker. Hibernate instead of sleep. Don't let unauthorized users perform warm reboots. You will significantly reduce the risk against the Princeton Cold Boot attack, and let BitLocker do what it was designed to do in the first place. Offer more protection to the data assets on the disk, and make it more difficult for attackers to access the protected information.

Remember, security is about risk mitigation... not risk avoidance. BitLocker does a great job, and this guidance will help mitigate the most obvious attack vector against the system.

Hope it helps.